c-l/immich
1
0
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2024-12-29 15:11:58 +00:00
Code Releases Activity

WIP

Browse source
This commit is contained in:
Jason Rasmussen 2024-04-17 17:14:25 -04:00
parent c9a079201a
commit f7285191bd
No known key found for this signature in database
GPG key ID: 75AD31BF84C94773
61 changed files with 1090 additions and 284 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
e2e/src/api/specs/library.e2e-spec.ts
View file

@ -8,7 +8,7 @@ import {
} from '@immich/sdk'; } from '@immich/sdk';
import { cpSync, existsSync } from 'node:fs'; import { cpSync, existsSync } from 'node:fs';
import { Socket } from 'socket.io-client'; import { Socket } from 'socket.io-client';
import { userDto, uuidDto } from 'src/fixtures'; import { createUserDto, uuidDto } from 'src/fixtures';
import { errorDto } from 'src/responses'; import { errorDto } from 'src/responses';
import { app, asBearerAuth, testAssetDir, testAssetDirInternal, utils } from 'src/utils'; import { app, asBearerAuth, testAssetDir, testAssetDirInternal, utils } from 'src/utils';
import request from 'supertest'; import request from 'supertest';
@ -18,7 +18,7 @@ import { afterAll, beforeAll, beforeEach, describe, expect, it } from 'vitest';
const scan = async (accessToken: string, id: string, dto: ScanLibraryDto = {}) => const scan = async (accessToken: string, id: string, dto: ScanLibraryDto = {}) =>
scanLibrary({ id, scanLibraryDto: dto }, { headers: asBearerAuth(accessToken) }); scanLibrary({ id, scanLibraryDto: dto }, { headers: asBearerAuth(accessToken) });
describe('/library', () => { describe.skip('/library', () => {
let admin: LoginResponseDto; let admin: LoginResponseDto;
let user: LoginResponseDto; let user: LoginResponseDto;
let library: LibraryResponseDto; let library: LibraryResponseDto;
@ -28,7 +28,7 @@ describe('/library', () => {
await utils.resetDatabase(); await utils.resetDatabase();
admin = await utils.adminSetup(); admin = await utils.adminSetup();
await utils.resetAdminConfig(admin.accessToken); await utils.resetAdminConfig(admin.accessToken);
user = await utils.userSetup(admin.accessToken, userDto.user1); user = await utils.userSetup(admin.accessToken, createUserDto.user1);
library = await utils.createLibrary(admin.accessToken, { ownerId: admin.userId, type: LibraryType.External }); library = await utils.createLibrary(admin.accessToken, { ownerId: admin.userId, type: LibraryType.External });
websocket = await utils.connectWebsocket(admin.accessToken); websocket = await utils.connectWebsocket(admin.accessToken);
utils.createImageFile(`${testAssetDir}/temp/directoryA/assetA.png`); utils.createImageFile(`${testAssetDir}/temp/directoryA/assetA.png`);

15
e2e/src/api/specs/user.e2e-spec.ts
View file

@ -135,7 +135,7 @@ describe('/user', () => {
expect(body).toEqual(errorDto.unauthorized); expect(body).toEqual(errorDto.unauthorized);
}); });
for (const key of Object.keys(createUserDto.user1)) { for (const key of ['email', 'password', 'name', 'permissionPreset']) {
it(`should not allow null ${key}`, async () => { it(`should not allow null ${key}`, async () => {
const { status, body } = await request(app) const { status, body } = await request(app)
.post(`/user`) .post(`/user`)
@ -146,6 +146,17 @@ describe('/user', () => {
}); });
} }
it(`should require permissions when using the custom preset `, async () => {
const { status, body } = await request(app)
.post(`/user`)
.set('Authorization', `Bearer ${admin.accessToken}`)
.send({ ...createUserDto.user1, permissionPreset: 'custom' });
expect(status).toBe(400);
expect(body).toEqual(
errorDto.badRequest([expect.stringContaining('each value in permissions must be one of the following')]),
);
});
it('should ignore `isAdmin`', async () => { it('should ignore `isAdmin`', async () => {
const { status, body } = await request(app) const { status, body } = await request(app)
.post(`/user`) .post(`/user`)
@ -154,6 +165,7 @@ describe('/user', () => {
email: 'user5@immich.cloud', email: 'user5@immich.cloud',
password: 'password123', password: 'password123',
name: 'Immich', name: 'Immich',
permissionPreset: 'user',
}) })
.set('Authorization', `Bearer ${admin.accessToken}`); .set('Authorization', `Bearer ${admin.accessToken}`);
expect(body).toMatchObject({ expect(body).toMatchObject({
@ -172,6 +184,7 @@ describe('/user', () => {
password: 'Password123', password: 'Password123',
name: 'No Memories', name: 'No Memories',
memoriesEnabled: false, memoriesEnabled: false,
permissionPreset: 'user',
}) })
.set('Authorization', `Bearer ${admin.accessToken}`); .set('Authorization', `Bearer ${admin.accessToken}`);
expect(body).toMatchObject({ expect(body).toMatchObject({

8
e2e/src/fixtures.ts
View file

@ -1,4 +1,4 @@
import { UserAvatarColor } from '@immich/sdk'; import { PermissionPreset, UserAvatarColor } from '@immich/sdk';
export const uuidDto = { export const uuidDto = {
invalid: 'invalid-uuid', invalid: 'invalid-uuid',
@ -26,33 +26,39 @@ export const createUserDto = {
email: `${key}@immich.cloud`, email: `${key}@immich.cloud`,
name: `Generated User ${key}`, name: `Generated User ${key}`,
password: `password-${key}`, password: `password-${key}`,
permissionPreset: PermissionPreset.User,
}; };
}, },
user1: { user1: {
email: 'user1@immich.cloud', email: 'user1@immich.cloud',
name: 'User 1', name: 'User 1',
password: 'password1', password: 'password1',
permissionPreset: PermissionPreset.User,
}, },
user2: { user2: {
email: 'user2@immich.cloud', email: 'user2@immich.cloud',
name: 'User 2', name: 'User 2',
password: 'password12', password: 'password12',
permissionPreset: PermissionPreset.User,
}, },
user3: { user3: {
email: 'user3@immich.cloud', email: 'user3@immich.cloud',
name: 'User 3', name: 'User 3',
permissionPreset: PermissionPreset.User,
password: 'password123', password: 'password123',
}, },
user4: { user4: {
email: 'user4@immich.cloud', email: 'user4@immich.cloud',
name: 'User 4', name: 'User 4',
password: 'password123', password: 'password123',
permissionPreset: PermissionPreset.User,
}, },
userQuota: { userQuota: {
email: 'user-quota@immich.cloud', email: 'user-quota@immich.cloud',
name: 'User Quota', name: 'User Quota',
password: 'password-quota', password: 'password-quota',
quotaSizeInBytes: 512, quotaSizeInBytes: 512,
permissionPreset: PermissionPreset.User,
}, },
}; };

85
e2e/src/responses.ts
View file

@ -77,6 +77,91 @@ export const signupResponseDto = {
quotaUsageInBytes: 0, quotaUsageInBytes: 0,
quotaSizeInBytes: null, quotaSizeInBytes: null,
status: 'active', status: 'active',
permissions: [
'activity.create',
'activity.read',
'activity.update',
'activity.delete',
'album.create',
'album.read',
'album.update',
'album.delete',
'asset.create',
'asset.read',
'asset.update',
'asset.delete',
'apiKey.create',
'apiKey.read',
'apiKey.update',
'apiKey.delete',
'authDevice.create',
'authDevice.read',
'authDevice.update',
'authDevice.delete',
'face.create',
'face.read',
'face.update',
'face.delete',
'library.create',
'library.read',
'library.update',
'library.delete',
'memory.create',
'memory.read',
'memory.update',
'memory.delete',
'memory.addAsset',
'memory.removeAsset',
'partner.create',
'partner.read',
'partner.update',
'partner.delete',
'person.create',
'person.read',
'person.update',
'person.delete',
'report.create',
'report.read',
'report.update',
'report.delete',
'sharedLink.create',
'sharedLink.read',
'sharedLink.update',
'sharedLink.delete',
'systemConfig.read',
'systemConfig.update',
'systemConfig.delete',
'stack.create',
'stack.read',
'stack.update',
'stack.delete',
'tag.create',
'tag.read',
'tag.update',
'tag.delete',
'user.create',
'user.read',
'user.update',
'user.delete',
'auth.changePassword',
'auth.oauth',
'album.addAsset',
'album.removeAsset',
'album.addUser',
'album.removeUser',
'asset.viewThumb',
'asset.viewPreview',
'asset.viewOriginal',
'asset.upload',
'asset.download',
'job.read',
'job.run',
'map.read',
'user.readSimple',
'user.changePassword',
'server.read',
'server.setup',
],
}, },
}; };

344
open-api/immich-openapi-specs.json
View file

@ -6428,15 +6428,6 @@
} }
}, },
"security": [ "security": [
{
"bearer": []
},
{
"cookie": []
},
{
"api_key": []
},
{ {
"bearer": [] "bearer": []
}, },
@ -6564,15 +6555,6 @@
} }
}, },
"security": [ "security": [
{
"bearer": []
},
{
"cookie": []
},
{
"api_key": []
},
{ {
"bearer": [] "bearer": []
}, },
@ -7975,6 +7957,103 @@
], ],
"type": "object" "type": "object"
}, },
"AuthorizationPermission": {
"enum": [
"activity.create",
"activity.read",
"activity.update",
"activity.delete",
"album.create",
"album.read",
"album.update",
"album.delete",
"asset.create",
"asset.read",
"asset.update",
"asset.delete",
"apiKey.create",
"apiKey.read",
"apiKey.update",
"apiKey.delete",
"authDevice.create",
"authDevice.read",
"authDevice.update",
"authDevice.delete",
"face.create",
"face.read",
"face.update",
"face.delete",
"library.create",
"library.read",
"library.update",
"library.delete",
"memory.create",
"memory.read",
"memory.update",
"memory.delete",
"memory.addAsset",
"memory.removeAsset",
"partner.create",
"partner.read",
"partner.update",
"partner.delete",
"person.create",
"person.read",
"person.update",
"person.delete",
"report.create",
"report.read",
"report.update",
"report.delete",
"session.create",
"session.read",
"session.update",
"session.delete",
"sharedLink.create",
"sharedLink.read",
"sharedLink.update",
"sharedLink.delete",
"systemConfig.create",
"systemConfig.read",
"systemConfig.update",
"systemConfig.delete",
"systemMetadata.create",
"systemMetadata.read",
"systemMetadata.update",
"systemMetadata.delete",
"stack.create",
"stack.read",
"stack.update",
"stack.delete",
"tag.create",
"tag.read",
"tag.update",
"tag.delete",
"user.create",
"user.read",
"user.update",
"user.delete",
"auth.changePassword",
"auth.oauth",
"album.addAsset",
"album.removeAsset",
"album.addUser",
"album.removeUser",
"asset.viewThumb",
"asset.viewPreview",
"asset.viewOriginal",
"asset.upload",
"asset.download",
"job.read",
"job.run",
"map.read",
"user.readSimple",
"user.changePassword",
"server.read",
"server.setup"
],
"type": "string"
},
"BulkIdResponseDto": { "BulkIdResponseDto": {
"properties": { "properties": {
"error": { "error": {
@ -8284,6 +8363,15 @@
"password": { "password": {
"type": "string" "type": "string"
}, },
"permissionPreset": {
"$ref": "#/components/schemas/PermissionPreset"
},
"permissions": {
"items": {
"$ref": "#/components/schemas/AuthorizationPermission"
},
"type": "array"
},
"quotaSizeInBytes": { "quotaSizeInBytes": {
"format": "int64", "format": "int64",
"nullable": true, "nullable": true,
@ -8300,7 +8388,8 @@
"required": [ "required": [
"email", "email",
"name", "name",
"password" "password",
"permissionPreset"
], ],
"type": "object" "type": "object"
}, },
@ -9364,6 +9453,106 @@
"oauthId": { "oauthId": {
"type": "string" "type": "string"
}, },
"permissions": {
"items": {
"enum": [
"activity.create",
"activity.read",
"activity.update",
"activity.delete",
"album.create",
"album.read",
"album.update",
"album.delete",
"asset.create",
"asset.read",
"asset.update",
"asset.delete",
"apiKey.create",
"apiKey.read",
"apiKey.update",
"apiKey.delete",
"authDevice.create",
"authDevice.read",
"authDevice.update",
"authDevice.delete",
"face.create",
"face.read",
"face.update",
"face.delete",
"library.create",
"library.read",
"library.update",
"library.delete",
"memory.create",
"memory.read",
"memory.update",
"memory.delete",
"memory.addAsset",
"memory.removeAsset",
"partner.create",
"partner.read",
"partner.update",
"partner.delete",
"person.create",
"person.read",
"person.update",
"person.delete",
"report.create",
"report.read",
"report.update",
"report.delete",
"session.create",
"session.read",
"session.update",
"session.delete",
"sharedLink.create",
"sharedLink.read",
"sharedLink.update",
"sharedLink.delete",
"systemConfig.create",
"systemConfig.read",
"systemConfig.update",
"systemConfig.delete",
"systemMetadata.create",
"systemMetadata.read",
"systemMetadata.update",
"systemMetadata.delete",
"stack.create",
"stack.read",
"stack.update",
"stack.delete",
"tag.create",
"tag.read",
"tag.update",
"tag.delete",
"user.create",
"user.read",
"user.update",
"user.delete",
"auth.changePassword",
"auth.oauth",
"album.addAsset",
"album.removeAsset",
"album.addUser",
"album.removeUser",
"asset.viewThumb",
"asset.viewPreview",
"asset.viewOriginal",
"asset.upload",
"asset.download",
"job.read",
"job.run",
"map.read",
"user.readSimple",
"user.changePassword",
"server.read",
"server.setup"
],
"type": "string"
},
"type": "array"
},
"profileImagePath": { "profileImagePath": {
"type": "string" "type": "string"
}, },
@ -9497,6 +9686,14 @@
], ],
"type": "object" "type": "object"
}, },
"PermissionPreset": {
"enum": [
"user",
"admin",
"custom"
],
"type": "string"
},
"PersonCreateDto": { "PersonCreateDto": {
"properties": { "properties": {
"birthDate": { "birthDate": {
@ -11252,6 +11449,15 @@
"password": { "password": {
"type": "string" "type": "string"
}, },
"permissionPreset": {
"$ref": "#/components/schemas/PermissionPreset"
},
"permissions": {
"items": {
"$ref": "#/components/schemas/AuthorizationPermission"
},
"type": "array"
},
"quotaSizeInBytes": { "quotaSizeInBytes": {
"format": "int64", "format": "int64",
"nullable": true, "nullable": true,
@ -11377,6 +11583,106 @@
"oauthId": { "oauthId": {
"type": "string" "type": "string"
}, },
"permissions": {
"items": {
"enum": [
"activity.create",
"activity.read",
"activity.update",
"activity.delete",
"album.create",
"album.read",
"album.update",
"album.delete",
"asset.create",
"asset.read",
"asset.update",
"asset.delete",
"apiKey.create",
"apiKey.read",
"apiKey.update",
"apiKey.delete",
"authDevice.create",
"authDevice.read",
"authDevice.update",
"authDevice.delete",
"face.create",
"face.read",
"face.update",
"face.delete",
"library.create",
"library.read",
"library.update",
"library.delete",
"memory.create",
"memory.read",
"memory.update",
"memory.delete",
"memory.addAsset",
"memory.removeAsset",
"partner.create",
"partner.read",
"partner.update",
"partner.delete",
"person.create",
"person.read",
"person.update",
"person.delete",
"report.create",
"report.read",
"report.update",
"report.delete",
"session.create",
"session.read",
"session.update",
"session.delete",
"sharedLink.create",
"sharedLink.read",
"sharedLink.update",
"sharedLink.delete",
"systemConfig.create",
"systemConfig.read",
"systemConfig.update",
"systemConfig.delete",
"systemMetadata.create",
"systemMetadata.read",
"systemMetadata.update",
"systemMetadata.delete",
"stack.create",
"stack.read",
"stack.update",
"stack.delete",
"tag.create",
"tag.read",
"tag.update",
"tag.delete",
"user.create",
"user.read",
"user.update",
"user.delete",
"auth.changePassword",
"auth.oauth",
"album.addAsset",
"album.removeAsset",
"album.addUser",
"album.removeUser",
"asset.viewThumb",
"asset.viewPreview",
"asset.viewOriginal",
"asset.upload",
"asset.download",
"job.read",
"job.run",
"map.read",
"user.readSimple",
"user.changePassword",
"server.read",
"server.setup"
],
"type": "string"
},
"type": "array"
},
"profileImagePath": { "profileImagePath": {
"type": "string" "type": "string"
}, },

69
open-api/typescript-sdk/src/fetch-client.ts
View file

@ -71,6 +71,7 @@ export type UserResponseDto = {
memoriesEnabled?: boolean; memoriesEnabled?: boolean;
name: string; name: string;
oauthId: string; oauthId: string;
permissions?: ("activity.create" | "activity.read" | "activity.update" | "activity.delete" | "album.create" | "album.read" | "album.update" | "album.delete" | "apiKey.create" | "apiKey.read" | "apiKey.update" | "apiKey.delete" | "asset.create" | "asset.read" | "asset.update" | "asset.delete" | "authDevice.create" | "authDevice.read" | "authDevice.update" | "authDevice.delete" | "face.create" | "face.read" | "face.update" | "face.delete" | "memory.create" | "memory.read" | "memory.update" | "memory.delete" | "partner.create" | "partner.read" | "partner.update" | "partner.delete" | "person.create" | "person.read" | "person.update" | "person.delete" | "sharedLink.create" | "sharedLink.read" | "sharedLink.update" | "sharedLink.delete" | "systemConfig.read" | "systemConfig.update" | "systemConfig.delete" | "stack.create" | "stack.read" | "stack.update" | "stack.delete" | "tag.create" | "tag.read" | "tag.update" | "tag.delete" | "user.create" | "user.readSimple" | "user.read" | "user.update" | "user.delete")[];
profileImagePath: string; profileImagePath: string;
quotaSizeInBytes: number | null; quotaSizeInBytes: number | null;
quotaUsageInBytes: number | null; quotaUsageInBytes: number | null;
@ -513,6 +514,7 @@ export type PartnerResponseDto = {
memoriesEnabled?: boolean; memoriesEnabled?: boolean;
name: string; name: string;
oauthId: string; oauthId: string;
permissions?: ("activity.create" | "activity.read" | "activity.update" | "activity.delete" | "album.create" | "album.read" | "album.update" | "album.delete" | "apiKey.create" | "apiKey.read" | "apiKey.update" | "apiKey.delete" | "asset.create" | "asset.read" | "asset.update" | "asset.delete" | "authDevice.create" | "authDevice.read" | "authDevice.update" | "authDevice.delete" | "face.create" | "face.read" | "face.update" | "face.delete" | "memory.create" | "memory.read" | "memory.update" | "memory.delete" | "partner.create" | "partner.read" | "partner.update" | "partner.delete" | "person.create" | "person.read" | "person.update" | "person.delete" | "sharedLink.create" | "sharedLink.read" | "sharedLink.update" | "sharedLink.delete" | "systemConfig.read" | "systemConfig.update" | "systemConfig.delete" | "stack.create" | "stack.read" | "stack.update" | "stack.delete" | "tag.create" | "tag.read" | "tag.update" | "tag.delete" | "user.create" | "user.readSimple" | "user.read" | "user.update" | "user.delete")[];
profileImagePath: string; profileImagePath: string;
quotaSizeInBytes: number | null; quotaSizeInBytes: number | null;
quotaUsageInBytes: number | null; quotaUsageInBytes: number | null;
@ -1021,6 +1023,8 @@ export type CreateUserDto = {
memoriesEnabled?: boolean; memoriesEnabled?: boolean;
name: string; name: string;
password: string; password: string;
permissionPreset: PermissionPreset;
permissions?: AuthorizationPermission[];
quotaSizeInBytes?: number | null; quotaSizeInBytes?: number | null;
shouldChangePassword?: boolean; shouldChangePassword?: boolean;
storageLabel?: string | null; storageLabel?: string | null;
@ -1033,6 +1037,8 @@ export type UpdateUserDto = {
memoriesEnabled?: boolean; memoriesEnabled?: boolean;
name?: string; name?: string;
password?: string; password?: string;
permissionPreset?: PermissionPreset;
permissions?: AuthorizationPermission[];
quotaSizeInBytes?: number | null; quotaSizeInBytes?: number | null;
shouldChangePassword?: boolean; shouldChangePassword?: boolean;
storageLabel?: string; storageLabel?: string;
@ -3103,3 +3109,66 @@ export enum TimeBucketSize {
Day = "DAY", Day = "DAY",
Month = "MONTH" Month = "MONTH"
} }
export enum PermissionPreset {
User = "user",
Admin = "admin",
Custom = "custom"
}
export enum AuthorizationPermission {
ActivityCreate = "activity.create",
ActivityRead = "activity.read",
ActivityUpdate = "activity.update",
ActivityDelete = "activity.delete",
AlbumCreate = "album.create",
AlbumRead = "album.read",
AlbumUpdate = "album.update",
AlbumDelete = "album.delete",
ApiKeyCreate = "apiKey.create",
ApiKeyRead = "apiKey.read",
ApiKeyUpdate = "apiKey.update",
ApiKeyDelete = "apiKey.delete",
AssetCreate = "asset.create",
AssetRead = "asset.read",
AssetUpdate = "asset.update",
AssetDelete = "asset.delete",
AuthDeviceCreate = "authDevice.create",
AuthDeviceRead = "authDevice.read",
AuthDeviceUpdate = "authDevice.update",
AuthDeviceDelete = "authDevice.delete",
FaceCreate = "face.create",
FaceRead = "face.read",
FaceUpdate = "face.update",
FaceDelete = "face.delete",
MemoryCreate = "memory.create",
MemoryRead = "memory.read",
MemoryUpdate = "memory.update",
MemoryDelete = "memory.delete",
PartnerCreate = "partner.create",
PartnerRead = "partner.read",
PartnerUpdate = "partner.update",
PartnerDelete = "partner.delete",
PersonCreate = "person.create",
PersonRead = "person.read",
PersonUpdate = "person.update",
PersonDelete = "person.delete",
SharedLinkCreate = "sharedLink.create",
SharedLinkRead = "sharedLink.read",
SharedLinkUpdate = "sharedLink.update",
SharedLinkDelete = "sharedLink.delete",
SystemConfigRead = "systemConfig.read",
SystemConfigUpdate = "systemConfig.update",
SystemConfigDelete = "systemConfig.delete",
StackCreate = "stack.create",
StackRead = "stack.read",
StackUpdate = "stack.update",
StackDelete = "stack.delete",
TagCreate = "tag.create",
TagRead = "tag.read",
TagUpdate = "tag.update",
TagDelete = "tag.delete",
UserCreate = "user.create",
UserReadSimple = "user.readSimple",
UserRead = "user.read",
UserUpdate = "user.update",
UserDelete = "user.delete"
}

7
server/src/controllers/activity.controller.ts
View file

@ -8,28 +8,30 @@ import {
ActivitySearchDto, ActivitySearchDto,
ActivityStatisticsResponseDto, ActivityStatisticsResponseDto,
} from 'src/dtos/activity.dto'; } from 'src/dtos/activity.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, Permission } from 'src/dtos/auth.dto';
import { Auth, Authenticated } from 'src/middleware/auth.guard'; import { Auth, Authenticated } from 'src/middleware/auth.guard';
import { ActivityService } from 'src/services/activity.service'; import { ActivityService } from 'src/services/activity.service';
import { UUIDParamDto } from 'src/validation'; import { UUIDParamDto } from 'src/validation';
@ApiTags('Activity') @ApiTags('Activity')
@Controller('activity') @Controller('activity')
@Authenticated()
export class ActivityController { export class ActivityController {
constructor(private service: ActivityService) {} constructor(private service: ActivityService) {}
@Get() @Get()
@Authenticated(Permission.ACTIVITY_READ)
getActivities(@Auth() auth: AuthDto, @Query() dto: ActivitySearchDto): Promise<ActivityResponseDto[]> { getActivities(@Auth() auth: AuthDto, @Query() dto: ActivitySearchDto): Promise<ActivityResponseDto[]> {
return this.service.getAll(auth, dto); return this.service.getAll(auth, dto);
} }
@Get('statistics') @Get('statistics')
@Authenticated(Permission.ACTIVITY_READ)
getActivityStatistics(@Auth() auth: AuthDto, @Query() dto: ActivityDto): Promise<ActivityStatisticsResponseDto> { getActivityStatistics(@Auth() auth: AuthDto, @Query() dto: ActivityDto): Promise<ActivityStatisticsResponseDto> {
return this.service.getStatistics(auth, dto); return this.service.getStatistics(auth, dto);
} }
@Post() @Post()
@Authenticated(Permission.ACTIVITY_CREATE)
async createActivity( async createActivity(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Body() dto: ActivityCreateDto, @Body() dto: ActivityCreateDto,
@ -43,6 +45,7 @@ export class ActivityController {
} }
@Delete(':id') @Delete(':id')
@Authenticated(Permission.ACTIVITY_DELETE)
@HttpCode(HttpStatus.NO_CONTENT) @HttpCode(HttpStatus.NO_CONTENT)
deleteActivity(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> { deleteActivity(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
return this.service.delete(auth, id); return this.service.delete(auth, id);

17
server/src/controllers/album.controller.ts
View file

@ -10,34 +10,36 @@ import {
UpdateAlbumDto, UpdateAlbumDto,
} from 'src/dtos/album.dto'; } from 'src/dtos/album.dto';
import { BulkIdResponseDto, BulkIdsDto } from 'src/dtos/asset-ids.response.dto'; import { BulkIdResponseDto, BulkIdsDto } from 'src/dtos/asset-ids.response.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, Permission } from 'src/dtos/auth.dto';
import { Auth, Authenticated, SharedLinkRoute } from 'src/middleware/auth.guard'; import { Auth, Authenticated } from 'src/middleware/auth.guard';
import { AlbumService } from 'src/services/album.service'; import { AlbumService } from 'src/services/album.service';
import { ParseMeUUIDPipe, UUIDParamDto } from 'src/validation'; import { ParseMeUUIDPipe, UUIDParamDto } from 'src/validation';
@ApiTags('Album') @ApiTags('Album')
@Controller('album') @Controller('album')
@Authenticated()
export class AlbumController { export class AlbumController {
constructor(private service: AlbumService) {} constructor(private service: AlbumService) {}
@Get('count') @Get('count')
@Authenticated(Permission.ALBUM_READ)
getAlbumCount(@Auth() auth: AuthDto): Promise<AlbumCountResponseDto> { getAlbumCount(@Auth() auth: AuthDto): Promise<AlbumCountResponseDto> {
return this.service.getCount(auth); return this.service.getCount(auth);
} }
@Get() @Get()
@Authenticated(Permission.ALBUM_READ)
getAllAlbums(@Auth() auth: AuthDto, @Query() query: GetAlbumsDto): Promise<AlbumResponseDto[]> { getAllAlbums(@Auth() auth: AuthDto, @Query() query: GetAlbumsDto): Promise<AlbumResponseDto[]> {
return this.service.getAll(auth, query); return this.service.getAll(auth, query);
} }
@Post() @Post()
@Authenticated(Permission.ALBUM_CREATE)
createAlbum(@Auth() auth: AuthDto, @Body() dto: CreateAlbumDto): Promise<AlbumResponseDto> { createAlbum(@Auth() auth: AuthDto, @Body() dto: CreateAlbumDto): Promise<AlbumResponseDto> {
return this.service.create(auth, dto); return this.service.create(auth, dto);
} }
@SharedLinkRoute()
@Get(':id') @Get(':id')
@Authenticated(Permission.ALBUM_READ, { sharedLink: true })
getAlbumInfo( getAlbumInfo(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Param() { id }: UUIDParamDto, @Param() { id }: UUIDParamDto,
@ -47,6 +49,7 @@ export class AlbumController {
} }
@Patch(':id') @Patch(':id')
@Authenticated(Permission.ALBUM_UPDATE)
updateAlbumInfo( updateAlbumInfo(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Param() { id }: UUIDParamDto, @Param() { id }: UUIDParamDto,
@ -56,12 +59,13 @@ export class AlbumController {
} }
@Delete(':id') @Delete(':id')
@Authenticated(Permission.ALBUM_DELETE)
deleteAlbum(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto) { deleteAlbum(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto) {
return this.service.delete(auth, id); return this.service.delete(auth, id);
} }
@SharedLinkRoute()
@Put(':id/assets') @Put(':id/assets')
@Authenticated(Permission.ALBUM_ADD_ASSET, { sharedLink: true })
addAssetsToAlbum( addAssetsToAlbum(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Param() { id }: UUIDParamDto, @Param() { id }: UUIDParamDto,
@ -71,6 +75,7 @@ export class AlbumController {
} }
@Delete(':id/assets') @Delete(':id/assets')
@Authenticated(Permission.ALBUM_REMOVE_ASSET)
removeAssetFromAlbum( removeAssetFromAlbum(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Body() dto: BulkIdsDto, @Body() dto: BulkIdsDto,
@ -80,6 +85,7 @@ export class AlbumController {
} }
@Put(':id/users') @Put(':id/users')
@Authenticated(Permission.ALBUM_ADD_USER)
addUsersToAlbum( addUsersToAlbum(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Param() { id }: UUIDParamDto, @Param() { id }: UUIDParamDto,
@ -89,6 +95,7 @@ export class AlbumController {
} }
@Delete(':id/user/:userId') @Delete(':id/user/:userId')
@Authenticated(Permission.ALBUM_REMOVE_USER, { bypassParamId: 'userId' })
removeUserFromAlbum( removeUserFromAlbum(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Param() { id }: UUIDParamDto, @Param() { id }: UUIDParamDto,

8
server/src/controllers/api-key.controller.ts
View file

@ -1,33 +1,36 @@
import { Body, Controller, Delete, Get, Param, Post, Put } from '@nestjs/common'; import { Body, Controller, Delete, Get, Param, Post, Put } from '@nestjs/common';
import { ApiTags } from '@nestjs/swagger'; import { ApiTags } from '@nestjs/swagger';
import { APIKeyCreateDto, APIKeyCreateResponseDto, APIKeyResponseDto, APIKeyUpdateDto } from 'src/dtos/api-key.dto'; import { APIKeyCreateDto, APIKeyCreateResponseDto, APIKeyResponseDto, APIKeyUpdateDto } from 'src/dtos/api-key.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, Permission } from 'src/dtos/auth.dto';
import { Auth, Authenticated } from 'src/middleware/auth.guard'; import { Auth, Authenticated } from 'src/middleware/auth.guard';
import { APIKeyService } from 'src/services/api-key.service'; import { APIKeyService } from 'src/services/api-key.service';
import { UUIDParamDto } from 'src/validation'; import { UUIDParamDto } from 'src/validation';
@ApiTags('API Key') @ApiTags('API Key')
@Controller('api-key') @Controller('api-key')
@Authenticated()
export class APIKeyController { export class APIKeyController {
constructor(private service: APIKeyService) {} constructor(private service: APIKeyService) {}
@Post() @Post()
@Authenticated(Permission.API_KEY_CREATE)
createApiKey(@Auth() auth: AuthDto, @Body() dto: APIKeyCreateDto): Promise<APIKeyCreateResponseDto> { createApiKey(@Auth() auth: AuthDto, @Body() dto: APIKeyCreateDto): Promise<APIKeyCreateResponseDto> {
return this.service.create(auth, dto); return this.service.create(auth, dto);
} }
@Get() @Get()
@Authenticated(Permission.API_KEY_READ)
getApiKeys(@Auth() auth: AuthDto): Promise<APIKeyResponseDto[]> { getApiKeys(@Auth() auth: AuthDto): Promise<APIKeyResponseDto[]> {
return this.service.getAll(auth); return this.service.getAll(auth);
} }
@Get(':id') @Get(':id')
@Authenticated(Permission.API_KEY_READ)
getApiKey(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<APIKeyResponseDto> { getApiKey(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<APIKeyResponseDto> {
return this.service.getById(auth, id); return this.service.getById(auth, id);
} }
@Put(':id') @Put(':id')
@Authenticated(Permission.API_KEY_UPDATE)
updateApiKey( updateApiKey(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Param() { id }: UUIDParamDto, @Param() { id }: UUIDParamDto,
@ -37,6 +40,7 @@ export class APIKeyController {
} }
@Delete(':id') @Delete(':id')
@Authenticated(Permission.API_KEY_DELETE)
deleteApiKey(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> { deleteApiKey(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
return this.service.delete(auth, id); return this.service.delete(auth, id);
} }

2
server/src/controllers/app.controller.ts
View file

@ -1,6 +1,5 @@
import { Controller, Get, Header } from '@nestjs/common'; import { Controller, Get, Header } from '@nestjs/common';
import { ApiExcludeEndpoint } from '@nestjs/swagger'; import { ApiExcludeEndpoint } from '@nestjs/swagger';
import { PublicRoute } from 'src/middleware/auth.guard';
import { SystemConfigService } from 'src/services/system-config.service'; import { SystemConfigService } from 'src/services/system-config.service';
@Controller() @Controller()
@ -18,7 +17,6 @@ export class AppController {
} }
@ApiExcludeEndpoint() @ApiExcludeEndpoint()
@PublicRoute()
@Get('custom.css') @Get('custom.css')
@Header('Content-Type', 'text/css') @Header('Content-Type', 'text/css')
getCustomCss() { getCustomCss() {

17
server/src/controllers/asset-v1.controller.ts
View file

@ -31,8 +31,8 @@ import {
GetAssetThumbnailDto, GetAssetThumbnailDto,
ServeFileDto, ServeFileDto,
} from 'src/dtos/asset-v1.dto'; } from 'src/dtos/asset-v1.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, Permission } from 'src/dtos/auth.dto';
import { Auth, Authenticated, FileResponse, SharedLinkRoute } from 'src/middleware/auth.guard'; import { Auth, Authenticated, FileResponse } from 'src/middleware/auth.guard';
import { FileUploadInterceptor, ImmichFile, Route, mapToUploadFile } from 'src/middleware/file-upload.interceptor'; import { FileUploadInterceptor, ImmichFile, Route, mapToUploadFile } from 'src/middleware/file-upload.interceptor';
import { AssetServiceV1 } from 'src/services/asset-v1.service'; import { AssetServiceV1 } from 'src/services/asset-v1.service';
import { sendFile } from 'src/utils/file'; import { sendFile } from 'src/utils/file';
@ -46,12 +46,11 @@ interface UploadFiles {
@ApiTags('Asset') @ApiTags('Asset')
@Controller(Route.ASSET) @Controller(Route.ASSET)
@Authenticated()
export class AssetControllerV1 { export class AssetControllerV1 {
constructor(private service: AssetServiceV1) {} constructor(private service: AssetServiceV1) {}
@SharedLinkRoute()
@Post('upload') @Post('upload')
@Authenticated(Permission.ASSET_UPLOAD, { sharedLink: true })
@UseInterceptors(FileUploadInterceptor) @UseInterceptors(FileUploadInterceptor)
@ApiConsumes('multipart/form-data') @ApiConsumes('multipart/form-data')
@ApiBody({ @ApiBody({
@ -85,8 +84,8 @@ export class AssetControllerV1 {
return responseDto; return responseDto;
} }
@SharedLinkRoute()
@Get('/file/:id') @Get('/file/:id')
@Authenticated(Permission.ASSET_VIEW_ORIGINAL, { sharedLink: true })
@FileResponse() @FileResponse()
async serveFile( async serveFile(
@Res() res: Response, @Res() res: Response,
@ -98,8 +97,8 @@ export class AssetControllerV1 {
await sendFile(res, next, () => this.service.serveFile(auth, id, dto)); await sendFile(res, next, () => this.service.serveFile(auth, id, dto));
} }
@SharedLinkRoute()
@Get('/thumbnail/:id') @Get('/thumbnail/:id')
@Authenticated(Permission.ASSET_VIEW_THUMB, { sharedLink: true })
@FileResponse() @FileResponse()
async getAssetThumbnail( async getAssetThumbnail(
@Res() res: Response, @Res() res: Response,
@ -112,16 +111,19 @@ export class AssetControllerV1 {
} }
@Get('/curated-objects') @Get('/curated-objects')
@Authenticated(Permission.ASSET_READ)
getCuratedObjects(@Auth() auth: AuthDto): Promise<CuratedObjectsResponseDto[]> { getCuratedObjects(@Auth() auth: AuthDto): Promise<CuratedObjectsResponseDto[]> {
return this.service.getCuratedObject(auth); return this.service.getCuratedObject(auth);
} }
@Get('/curated-locations') @Get('/curated-locations')
@Authenticated(Permission.ASSET_READ)
getCuratedLocations(@Auth() auth: AuthDto): Promise<CuratedLocationsResponseDto[]> { getCuratedLocations(@Auth() auth: AuthDto): Promise<CuratedLocationsResponseDto[]> {
return this.service.getCuratedLocation(auth); return this.service.getCuratedLocation(auth);
} }
@Get('/search-terms') @Get('/search-terms')
@Authenticated(Permission.ASSET_READ)
getAssetSearchTerms(@Auth() auth: AuthDto): Promise<string[]> { getAssetSearchTerms(@Auth() auth: AuthDto): Promise<string[]> {
return this.service.getAssetSearchTerm(auth); return this.service.getAssetSearchTerm(auth);
} }
@ -130,6 +132,7 @@ export class AssetControllerV1 {
* Get all AssetEntity belong to the user * Get all AssetEntity belong to the user
*/ */
@Get('/') @Get('/')
@Authenticated(Permission.ASSET_READ)
@ApiHeader({ @ApiHeader({
name: 'if-none-match', name: 'if-none-match',
description: 'ETag of data already cached on the client', description: 'ETag of data already cached on the client',
@ -144,6 +147,7 @@ export class AssetControllerV1 {
* Checks if multiple assets exist on the server and returns all existing - used by background backup * Checks if multiple assets exist on the server and returns all existing - used by background backup
*/ */
@Post('/exist') @Post('/exist')
@Authenticated(Permission.ASSET_READ)
@HttpCode(HttpStatus.OK) @HttpCode(HttpStatus.OK)
checkExistingAssets( checkExistingAssets(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@ -156,6 +160,7 @@ export class AssetControllerV1 {
* Checks if assets exist by checksums * Checks if assets exist by checksums
*/ */
@Post('/bulk-upload-check') @Post('/bulk-upload-check')
@Authenticated(Permission.ASSET_READ)
@HttpCode(HttpStatus.OK) @HttpCode(HttpStatus.OK)
checkBulkUpload( checkBulkUpload(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,

20
server/src/controllers/asset.controller.ts
View file

@ -11,10 +11,10 @@ import {
RandomAssetsDto, RandomAssetsDto,
UpdateAssetDto, UpdateAssetDto,
} from 'src/dtos/asset.dto'; } from 'src/dtos/asset.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, Permission } from 'src/dtos/auth.dto';
import { MapMarkerDto, MapMarkerResponseDto, MemoryLaneDto, MetadataSearchDto } from 'src/dtos/search.dto'; import { MapMarkerDto, MapMarkerResponseDto, MemoryLaneDto, MetadataSearchDto } from 'src/dtos/search.dto';
import { UpdateStackParentDto } from 'src/dtos/stack.dto'; import { UpdateStackParentDto } from 'src/dtos/stack.dto';
import { Auth, Authenticated, SharedLinkRoute } from 'src/middleware/auth.guard'; import { Auth, Authenticated } from 'src/middleware/auth.guard';
import { Route } from 'src/middleware/file-upload.interceptor'; import { Route } from 'src/middleware/file-upload.interceptor';
import { AssetService } from 'src/services/asset.service'; import { AssetService } from 'src/services/asset.service';
import { SearchService } from 'src/services/search.service'; import { SearchService } from 'src/services/search.service';
@ -22,11 +22,11 @@ import { UUIDParamDto } from 'src/validation';
@ApiTags('Asset') @ApiTags('Asset')
@Controller('assets') @Controller('assets')
@Authenticated()
export class AssetsController { export class AssetsController {
constructor(private searchService: SearchService) {} constructor(private searchService: SearchService) {}
@Get() @Get()
@Authenticated(Permission.ASSET_READ)
@ApiOperation({ deprecated: true }) @ApiOperation({ deprecated: true })
async searchAssets(@Auth() auth: AuthDto, @Query() dto: MetadataSearchDto): Promise<AssetResponseDto[]> { async searchAssets(@Auth() auth: AuthDto, @Query() dto: MetadataSearchDto): Promise<AssetResponseDto[]> {
const { const {
@ -38,21 +38,23 @@ export class AssetsController {
@ApiTags('Asset') @ApiTags('Asset')
@Controller(Route.ASSET) @Controller(Route.ASSET)
@Authenticated()
export class AssetController { export class AssetController {
constructor(private service: AssetService) {} constructor(private service: AssetService) {}
@Get('map-marker') @Get('map-marker')
@Authenticated(Permission.ASSET_READ)
getMapMarkers(@Auth() auth: AuthDto, @Query() options: MapMarkerDto): Promise<MapMarkerResponseDto[]> { getMapMarkers(@Auth() auth: AuthDto, @Query() options: MapMarkerDto): Promise<MapMarkerResponseDto[]> {
return this.service.getMapMarkers(auth, options); return this.service.getMapMarkers(auth, options);
} }
@Get('memory-lane') @Get('memory-lane')
@Authenticated(Permission.MEMORY_READ)
getMemoryLane(@Auth() auth: AuthDto, @Query() dto: MemoryLaneDto): Promise<MemoryLaneResponseDto[]> { getMemoryLane(@Auth() auth: AuthDto, @Query() dto: MemoryLaneDto): Promise<MemoryLaneResponseDto[]> {
return this.service.getMemoryLane(auth, dto); return this.service.getMemoryLane(auth, dto);
} }
@Get('random') @Get('random')
@Authenticated(Permission.ASSET_READ)
getRandom(@Auth() auth: AuthDto, @Query() dto: RandomAssetsDto): Promise<AssetResponseDto[]> { getRandom(@Auth() auth: AuthDto, @Query() dto: RandomAssetsDto): Promise<AssetResponseDto[]> {
return this.service.getRandom(auth, dto.count ?? 1); return this.service.getRandom(auth, dto.count ?? 1);
} }
@ -61,46 +63,54 @@ export class AssetController {
* Get all asset of a device that are in the database, ID only. * Get all asset of a device that are in the database, ID only.
*/ */
@Get('/device/:deviceId') @Get('/device/:deviceId')
@Authenticated(Permission.ASSET_READ)
getAllUserAssetsByDeviceId(@Auth() auth: AuthDto, @Param() { deviceId }: DeviceIdDto) { getAllUserAssetsByDeviceId(@Auth() auth: AuthDto, @Param() { deviceId }: DeviceIdDto) {
return this.service.getUserAssetsByDeviceId(auth, deviceId); return this.service.getUserAssetsByDeviceId(auth, deviceId);
} }
@Get('statistics') @Get('statistics')
@Authenticated(Permission.ASSET_READ)
getAssetStatistics(@Auth() auth: AuthDto, @Query() dto: AssetStatsDto): Promise<AssetStatsResponseDto> { getAssetStatistics(@Auth() auth: AuthDto, @Query() dto: AssetStatsDto): Promise<AssetStatsResponseDto> {
return this.service.getStatistics(auth, dto); return this.service.getStatistics(auth, dto);
} }
@Post('jobs') @Post('jobs')
// TODO
@Authenticated(Permission.ASSET_READ)
@HttpCode(HttpStatus.NO_CONTENT) @HttpCode(HttpStatus.NO_CONTENT)
runAssetJobs(@Auth() auth: AuthDto, @Body() dto: AssetJobsDto): Promise<void> { runAssetJobs(@Auth() auth: AuthDto, @Body() dto: AssetJobsDto): Promise<void> {
return this.service.run(auth, dto); return this.service.run(auth, dto);
} }
@Put() @Put()
@Authenticated(Permission.ASSET_UPDATE)
@HttpCode(HttpStatus.NO_CONTENT) @HttpCode(HttpStatus.NO_CONTENT)
updateAssets(@Auth() auth: AuthDto, @Body() dto: AssetBulkUpdateDto): Promise<void> { updateAssets(@Auth() auth: AuthDto, @Body() dto: AssetBulkUpdateDto): Promise<void> {
return this.service.updateAll(auth, dto); return this.service.updateAll(auth, dto);
} }
@Delete() @Delete()
@Authenticated(Permission.ASSET_DELETE)
@HttpCode(HttpStatus.NO_CONTENT) @HttpCode(HttpStatus.NO_CONTENT)
deleteAssets(@Auth() auth: AuthDto, @Body() dto: AssetBulkDeleteDto): Promise<void> { deleteAssets(@Auth() auth: AuthDto, @Body() dto: AssetBulkDeleteDto): Promise<void> {
return this.service.deleteAll(auth, dto); return this.service.deleteAll(auth, dto);
} }
@Put('stack/parent') @Put('stack/parent')
@Authenticated(Permission.STACK_UPDATE)
@HttpCode(HttpStatus.OK) @HttpCode(HttpStatus.OK)
updateStackParent(@Auth() auth: AuthDto, @Body() dto: UpdateStackParentDto): Promise<void> { updateStackParent(@Auth() auth: AuthDto, @Body() dto: UpdateStackParentDto): Promise<void> {
return this.service.updateStackParent(auth, dto); return this.service.updateStackParent(auth, dto);
} }
@SharedLinkRoute()
@Get(':id') @Get(':id')
@Authenticated(Permission.ASSET_READ, { sharedLink: true })
getAssetInfo(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<AssetResponseDto> { getAssetInfo(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<AssetResponseDto> {
return this.service.get(auth, id) as Promise<AssetResponseDto>; return this.service.get(auth, id) as Promise<AssetResponseDto>;
} }
@Put(':id') @Put(':id')
@Authenticated(Permission.ASSET_UPDATE)
updateAsset( updateAsset(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Param() { id }: UUIDParamDto, @Param() { id }: UUIDParamDto,

4
server/src/controllers/audit.controller.ts
View file

@ -1,17 +1,17 @@
import { Controller, Get, Query } from '@nestjs/common'; import { Controller, Get, Query } from '@nestjs/common';
import { ApiTags } from '@nestjs/swagger'; import { ApiTags } from '@nestjs/swagger';
import { AuditDeletesDto, AuditDeletesResponseDto } from 'src/dtos/audit.dto'; import { AuditDeletesDto, AuditDeletesResponseDto } from 'src/dtos/audit.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, Permission } from 'src/dtos/auth.dto';
import { Auth, Authenticated } from 'src/middleware/auth.guard'; import { Auth, Authenticated } from 'src/middleware/auth.guard';
import { AuditService } from 'src/services/audit.service'; import { AuditService } from 'src/services/audit.service';
@ApiTags('Audit') @ApiTags('Audit')
@Controller('audit') @Controller('audit')
@Authenticated()
export class AuditController { export class AuditController {
constructor(private service: AuditService) {} constructor(private service: AuditService) {}
@Get('deletes') @Get('deletes')
@Authenticated(Permission.ASSET_READ)
getAuditDeletes(@Auth() auth: AuthDto, @Query() dto: AuditDeletesDto): Promise<AuditDeletesResponseDto> { getAuditDeletes(@Auth() auth: AuthDto, @Query() dto: AuditDeletesDto): Promise<AuditDeletesResponseDto> {
return this.service.getDeletes(auth, dto); return this.service.getDeletes(auth, dto);
} }

9
server/src/controllers/auth.controller.ts
View file

@ -9,21 +9,20 @@ import {
LoginCredentialDto, LoginCredentialDto,
LoginResponseDto, LoginResponseDto,
LogoutResponseDto, LogoutResponseDto,
Permission,
SignUpDto, SignUpDto,
ValidateAccessTokenResponseDto, ValidateAccessTokenResponseDto,
} from 'src/dtos/auth.dto'; } from 'src/dtos/auth.dto';
import { UserResponseDto, mapUser } from 'src/dtos/user.dto'; import { UserResponseDto, mapUser } from 'src/dtos/user.dto';
import { Auth, Authenticated, GetLoginDetails, PublicRoute } from 'src/middleware/auth.guard'; import { Auth, Authenticated, GetLoginDetails } from 'src/middleware/auth.guard';
import { AuthService, LoginDetails } from 'src/services/auth.service'; import { AuthService, LoginDetails } from 'src/services/auth.service';
import { respondWithCookie, respondWithoutCookie } from 'src/utils/response'; import { respondWithCookie, respondWithoutCookie } from 'src/utils/response';
@ApiTags('Authentication') @ApiTags('Authentication')
@Controller('auth') @Controller('auth')
@Authenticated()
export class AuthController { export class AuthController {
constructor(private service: AuthService) {} constructor(private service: AuthService) {}
@PublicRoute()
@Post('login') @Post('login')
async login( async login(
@Body() loginCredential: LoginCredentialDto, @Body() loginCredential: LoginCredentialDto,
@ -41,25 +40,27 @@ export class AuthController {
}); });
} }
@PublicRoute()
@Post('admin-sign-up') @Post('admin-sign-up')
signUpAdmin(@Body() dto: SignUpDto): Promise<UserResponseDto> { signUpAdmin(@Body() dto: SignUpDto): Promise<UserResponseDto> {
return this.service.adminSignUp(dto); return this.service.adminSignUp(dto);
} }
@Post('validateToken') @Post('validateToken')
@Authenticated(Permission.AUTH_DEVICE_READ)
@HttpCode(HttpStatus.OK) @HttpCode(HttpStatus.OK)
validateAccessToken(): ValidateAccessTokenResponseDto { validateAccessToken(): ValidateAccessTokenResponseDto {
return { authStatus: true }; return { authStatus: true };
} }
@Post('change-password') @Post('change-password')
@Authenticated(Permission.AUTH_CHANGE_PASSWORD)
@HttpCode(HttpStatus.OK) @HttpCode(HttpStatus.OK)
changePassword(@Auth() auth: AuthDto, @Body() dto: ChangePasswordDto): Promise<UserResponseDto> { changePassword(@Auth() auth: AuthDto, @Body() dto: ChangePasswordDto): Promise<UserResponseDto> {
return this.service.changePassword(auth, dto).then(mapUser); return this.service.changePassword(auth, dto).then(mapUser);
} }
@Post('logout') @Post('logout')
@Authenticated(Permission.AUTH_DEVICE_DELETE)
@HttpCode(HttpStatus.OK) @HttpCode(HttpStatus.OK)
async logout( async logout(
@Req() request: Request, @Req() request: Request,

11
server/src/controllers/download.controller.ts
View file

@ -2,35 +2,34 @@ import { Body, Controller, HttpCode, HttpStatus, Next, Param, Post, Res, Streama
import { ApiTags } from '@nestjs/swagger'; import { ApiTags } from '@nestjs/swagger';
import { NextFunction, Response } from 'express'; import { NextFunction, Response } from 'express';
import { AssetIdsDto } from 'src/dtos/asset.dto'; import { AssetIdsDto } from 'src/dtos/asset.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, Permission } from 'src/dtos/auth.dto';
import { DownloadInfoDto, DownloadResponseDto } from 'src/dtos/download.dto'; import { DownloadInfoDto, DownloadResponseDto } from 'src/dtos/download.dto';
import { Auth, Authenticated, FileResponse, SharedLinkRoute } from 'src/middleware/auth.guard'; import { Auth, Authenticated, FileResponse } from 'src/middleware/auth.guard';
import { DownloadService } from 'src/services/download.service'; import { DownloadService } from 'src/services/download.service';
import { asStreamableFile, sendFile } from 'src/utils/file'; import { asStreamableFile, sendFile } from 'src/utils/file';
import { UUIDParamDto } from 'src/validation'; import { UUIDParamDto } from 'src/validation';
@ApiTags('Download') @ApiTags('Download')
@Controller('download') @Controller('download')
@Authenticated()
export class DownloadController { export class DownloadController {
constructor(private service: DownloadService) {} constructor(private service: DownloadService) {}
@SharedLinkRoute()
@Post('info') @Post('info')
@Authenticated(Permission.ASSET_READ, { sharedLink: true })
getDownloadInfo(@Auth() auth: AuthDto, @Body() dto: DownloadInfoDto): Promise<DownloadResponseDto> { getDownloadInfo(@Auth() auth: AuthDto, @Body() dto: DownloadInfoDto): Promise<DownloadResponseDto> {
return this.service.getDownloadInfo(auth, dto); return this.service.getDownloadInfo(auth, dto);
} }
@SharedLinkRoute()
@Post('archive') @Post('archive')
@Authenticated(Permission.ASSET_DOWNLOAD, { sharedLink: true })
@HttpCode(HttpStatus.OK) @HttpCode(HttpStatus.OK)
@FileResponse() @FileResponse()
downloadArchive(@Auth() auth: AuthDto, @Body() dto: AssetIdsDto): Promise<StreamableFile> { downloadArchive(@Auth() auth: AuthDto, @Body() dto: AssetIdsDto): Promise<StreamableFile> {
return this.service.downloadArchive(auth, dto).then(asStreamableFile); return this.service.downloadArchive(auth, dto).then(asStreamableFile);
} }
@SharedLinkRoute()
@Post('asset/:id') @Post('asset/:id')
@Authenticated(Permission.ASSET_DOWNLOAD, { sharedLink: true })
@HttpCode(HttpStatus.OK) @HttpCode(HttpStatus.OK)
@FileResponse() @FileResponse()
async downloadFile( async downloadFile(

5
server/src/controllers/face.controller.ts
View file

@ -1,6 +1,6 @@
import { Body, Controller, Get, Param, Put, Query } from '@nestjs/common'; import { Body, Controller, Get, Param, Put, Query } from '@nestjs/common';
import { ApiTags } from '@nestjs/swagger'; import { ApiTags } from '@nestjs/swagger';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, Permission } from 'src/dtos/auth.dto';
import { AssetFaceResponseDto, FaceDto, PersonResponseDto } from 'src/dtos/person.dto'; import { AssetFaceResponseDto, FaceDto, PersonResponseDto } from 'src/dtos/person.dto';
import { Auth, Authenticated } from 'src/middleware/auth.guard'; import { Auth, Authenticated } from 'src/middleware/auth.guard';
import { PersonService } from 'src/services/person.service'; import { PersonService } from 'src/services/person.service';
@ -8,16 +8,17 @@ import { UUIDParamDto } from 'src/validation';
@ApiTags('Face') @ApiTags('Face')
@Controller('face') @Controller('face')
@Authenticated()
export class FaceController { export class FaceController {
constructor(private service: PersonService) {} constructor(private service: PersonService) {}
@Get() @Get()
@Authenticated(Permission.FACE_READ)
getFaces(@Auth() auth: AuthDto, @Query() dto: FaceDto): Promise<AssetFaceResponseDto[]> { getFaces(@Auth() auth: AuthDto, @Query() dto: FaceDto): Promise<AssetFaceResponseDto[]> {
return this.service.getFacesById(auth, dto); return this.service.getFacesById(auth, dto);
} }
@Put(':id') @Put(':id')
@Authenticated(Permission.FACE_UPDATE)
reassignFacesById( reassignFacesById(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Param() { id }: UUIDParamDto, @Param() { id }: UUIDParamDto,

10
server/src/controllers/file-report.controller.ts
View file

@ -1,29 +1,29 @@
import { Body, Controller, Get, Post } from '@nestjs/common'; import { Body, Controller, Get, Post } from '@nestjs/common';
import { ApiTags } from '@nestjs/swagger'; import { ApiTags } from '@nestjs/swagger';
import { FileChecksumDto, FileChecksumResponseDto, FileReportDto, FileReportFixDto } from 'src/dtos/audit.dto'; import { FileChecksumDto, FileChecksumResponseDto, FileReportDto, FileReportFixDto } from 'src/dtos/audit.dto';
import { AdminRoute, Authenticated } from 'src/middleware/auth.guard'; import { Permission } from 'src/dtos/auth.dto';
import { Authenticated } from 'src/middleware/auth.guard';
import { AuditService } from 'src/services/audit.service'; import { AuditService } from 'src/services/audit.service';
@ApiTags('File Report') @ApiTags('File Report')
@Controller('report') @Controller('report')
@Authenticated()
export class ReportController { export class ReportController {
constructor(private service: AuditService) {} constructor(private service: AuditService) {}
@AdminRoute()
@Get() @Get()
@Authenticated(Permission.REPORT_READ)
getAuditFiles(): Promise<FileReportDto> { getAuditFiles(): Promise<FileReportDto> {
return this.service.getFileReport(); return this.service.getFileReport();
} }
@AdminRoute()
@Post('/checksum') @Post('/checksum')
@Authenticated(Permission.REPORT_READ)
getFileChecksums(@Body() dto: FileChecksumDto): Promise<FileChecksumResponseDto[]> { getFileChecksums(@Body() dto: FileChecksumDto): Promise<FileChecksumResponseDto[]> {
return this.service.getChecksums(dto); return this.service.getChecksums(dto);
} }
@AdminRoute()
@Post('/fix') @Post('/fix')
@Authenticated(Permission.REPORT_UPDATE)
fixAuditFiles(@Body() dto: FileReportFixDto): Promise<void> { fixAuditFiles(@Body() dto: FileReportFixDto): Promise<void> {
return this.service.fixItems(dto.items); return this.service.fixItems(dto.items);
} }

4
server/src/controllers/job.controller.ts
View file

@ -1,21 +1,23 @@
import { Body, Controller, Get, Param, Put } from '@nestjs/common'; import { Body, Controller, Get, Param, Put } from '@nestjs/common';
import { ApiTags } from '@nestjs/swagger'; import { ApiTags } from '@nestjs/swagger';
import { Permission } from 'src/dtos/auth.dto';
import { AllJobStatusResponseDto, JobCommandDto, JobIdParamDto, JobStatusDto } from 'src/dtos/job.dto'; import { AllJobStatusResponseDto, JobCommandDto, JobIdParamDto, JobStatusDto } from 'src/dtos/job.dto';
import { Authenticated } from 'src/middleware/auth.guard'; import { Authenticated } from 'src/middleware/auth.guard';
import { JobService } from 'src/services/job.service'; import { JobService } from 'src/services/job.service';
@ApiTags('Job') @ApiTags('Job')
@Controller('jobs') @Controller('jobs')
@Authenticated({ admin: true })
export class JobController { export class JobController {
constructor(private service: JobService) {} constructor(private service: JobService) {}
@Get() @Get()
@Authenticated(Permission.JOB_READ)
getAllJobsStatus(): Promise<AllJobStatusResponseDto> { getAllJobsStatus(): Promise<AllJobStatusResponseDto> {
return this.service.getAllJobsStatus(); return this.service.getAllJobsStatus();
} }
@Put(':id') @Put(':id')
@Authenticated(Permission.JOB_RUN)
sendJobCommand(@Param() { id }: JobIdParamDto, @Body() dto: JobCommandDto): Promise<JobStatusDto> { sendJobCommand(@Param() { id }: JobIdParamDto, @Body() dto: JobCommandDto): Promise<JobStatusDto> {
return this.service.handleCommand(id, dto); return this.service.handleCommand(id, dto);
} }

14
server/src/controllers/library.controller.ts
View file

@ -1,5 +1,6 @@
import { Body, Controller, Delete, Get, HttpCode, HttpStatus, Param, Post, Put, Query } from '@nestjs/common'; import { Body, Controller, Delete, Get, HttpCode, HttpStatus, Param, Post, Put, Query } from '@nestjs/common';
import { ApiTags } from '@nestjs/swagger'; import { ApiTags } from '@nestjs/swagger';
import { Permission } from 'src/dtos/auth.dto';
import { import {
CreateLibraryDto, CreateLibraryDto,
LibraryResponseDto, LibraryResponseDto,
@ -10,38 +11,41 @@ import {
ValidateLibraryDto, ValidateLibraryDto,
ValidateLibraryResponseDto, ValidateLibraryResponseDto,
} from 'src/dtos/library.dto'; } from 'src/dtos/library.dto';
import { AdminRoute, Authenticated } from 'src/middleware/auth.guard'; import { Authenticated } from 'src/middleware/auth.guard';
import { LibraryService } from 'src/services/library.service'; import { LibraryService } from 'src/services/library.service';
import { UUIDParamDto } from 'src/validation'; import { UUIDParamDto } from 'src/validation';
@ApiTags('Library') @ApiTags('Library')
@Controller('library') @Controller('library')
@Authenticated()
@AdminRoute()
export class LibraryController { export class LibraryController {
constructor(private service: LibraryService) {} constructor(private service: LibraryService) {}
@Get() @Get()
@Authenticated(Permission.LIBRARY_READ)
getAllLibraries(@Query() dto: SearchLibraryDto): Promise<LibraryResponseDto[]> { getAllLibraries(@Query() dto: SearchLibraryDto): Promise<LibraryResponseDto[]> {
return this.service.getAll(dto); return this.service.getAll(dto);
} }
@Post() @Post()
@Authenticated(Permission.LIBRARY_CREATE)
createLibrary(@Body() dto: CreateLibraryDto): Promise<LibraryResponseDto> { createLibrary(@Body() dto: CreateLibraryDto): Promise<LibraryResponseDto> {
return this.service.create(dto); return this.service.create(dto);
} }
@Put(':id') @Put(':id')
@Authenticated(Permission.LIBRARY_UPDATE)
updateLibrary(@Param() { id }: UUIDParamDto, @Body() dto: UpdateLibraryDto): Promise<LibraryResponseDto> { updateLibrary(@Param() { id }: UUIDParamDto, @Body() dto: UpdateLibraryDto): Promise<LibraryResponseDto> {
return this.service.update(id, dto); return this.service.update(id, dto);
} }
@Get(':id') @Get(':id')
@Authenticated(Permission.LIBRARY_READ)
getLibrary(@Param() { id }: UUIDParamDto): Promise<LibraryResponseDto> { getLibrary(@Param() { id }: UUIDParamDto): Promise<LibraryResponseDto> {
return this.service.get(id); return this.service.get(id);
} }
@Post(':id/validate') @Post(':id/validate')
@Authenticated(Permission.LIBRARY_READ)
@HttpCode(200) @HttpCode(200)
// TODO: change endpoint to validate current settings instead // TODO: change endpoint to validate current settings instead
validate(@Param() { id }: UUIDParamDto, @Body() dto: ValidateLibraryDto): Promise<ValidateLibraryResponseDto> { validate(@Param() { id }: UUIDParamDto, @Body() dto: ValidateLibraryDto): Promise<ValidateLibraryResponseDto> {
@ -49,23 +53,27 @@ export class LibraryController {
} }
@Delete(':id') @Delete(':id')
@Authenticated(Permission.LIBRARY_DELETE)
@HttpCode(HttpStatus.NO_CONTENT) @HttpCode(HttpStatus.NO_CONTENT)
deleteLibrary(@Param() { id }: UUIDParamDto): Promise<void> { deleteLibrary(@Param() { id }: UUIDParamDto): Promise<void> {
return this.service.delete(id); return this.service.delete(id);
} }
@Get(':id/statistics') @Get(':id/statistics')
@Authenticated(Permission.LIBRARY_READ)
getLibraryStatistics(@Param() { id }: UUIDParamDto): Promise<LibraryStatsResponseDto> { getLibraryStatistics(@Param() { id }: UUIDParamDto): Promise<LibraryStatsResponseDto> {
return this.service.getStatistics(id); return this.service.getStatistics(id);
} }
@Post(':id/scan') @Post(':id/scan')
@Authenticated(Permission.LIBRARY_UPDATE)
@HttpCode(HttpStatus.NO_CONTENT) @HttpCode(HttpStatus.NO_CONTENT)
scanLibrary(@Param() { id }: UUIDParamDto, @Body() dto: ScanLibraryDto) { scanLibrary(@Param() { id }: UUIDParamDto, @Body() dto: ScanLibraryDto) {
return this.service.queueScan(id, dto); return this.service.queueScan(id, dto);
} }
@Post(':id/removeOffline') @Post(':id/removeOffline')
@Authenticated(Permission.LIBRARY_UPDATE)
@HttpCode(HttpStatus.NO_CONTENT) @HttpCode(HttpStatus.NO_CONTENT)
removeOfflineFiles(@Param() { id }: UUIDParamDto) { removeOfflineFiles(@Param() { id }: UUIDParamDto) {
return this.service.queueRemoveOffline(id); return this.service.queueRemoveOffline(id);

10
server/src/controllers/memory.controller.ts
View file

@ -1,7 +1,7 @@
import { Body, Controller, Delete, Get, HttpCode, HttpStatus, Param, Post, Put } from '@nestjs/common'; import { Body, Controller, Delete, Get, HttpCode, HttpStatus, Param, Post, Put } from '@nestjs/common';
import { ApiTags } from '@nestjs/swagger'; import { ApiTags } from '@nestjs/swagger';
import { BulkIdResponseDto, BulkIdsDto } from 'src/dtos/asset-ids.response.dto'; import { BulkIdResponseDto, BulkIdsDto } from 'src/dtos/asset-ids.response.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, Permission } from 'src/dtos/auth.dto';
import { MemoryCreateDto, MemoryResponseDto, MemoryUpdateDto } from 'src/dtos/memory.dto'; import { MemoryCreateDto, MemoryResponseDto, MemoryUpdateDto } from 'src/dtos/memory.dto';
import { Auth, Authenticated } from 'src/middleware/auth.guard'; import { Auth, Authenticated } from 'src/middleware/auth.guard';
import { MemoryService } from 'src/services/memory.service'; import { MemoryService } from 'src/services/memory.service';
@ -9,26 +9,29 @@ import { UUIDParamDto } from 'src/validation';
@ApiTags('Memory') @ApiTags('Memory')
@Controller('memories') @Controller('memories')
@Authenticated()
export class MemoryController { export class MemoryController {
constructor(private service: MemoryService) {} constructor(private service: MemoryService) {}
@Get() @Get()
@Authenticated(Permission.MEMORY_READ)
searchMemories(@Auth() auth: AuthDto): Promise<MemoryResponseDto[]> { searchMemories(@Auth() auth: AuthDto): Promise<MemoryResponseDto[]> {
return this.service.search(auth); return this.service.search(auth);
} }
@Post() @Post()
@Authenticated(Permission.MEMORY_CREATE)
createMemory(@Auth() auth: AuthDto, @Body() dto: MemoryCreateDto): Promise<MemoryResponseDto> { createMemory(@Auth() auth: AuthDto, @Body() dto: MemoryCreateDto): Promise<MemoryResponseDto> {
return this.service.create(auth, dto); return this.service.create(auth, dto);
} }
@Get(':id') @Get(':id')
@Authenticated(Permission.MEMORY_READ)
getMemory(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<MemoryResponseDto> { getMemory(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<MemoryResponseDto> {
return this.service.get(auth, id); return this.service.get(auth, id);
} }
@Put(':id') @Put(':id')
@Authenticated(Permission.MEMORY_UPDATE)
updateMemory( updateMemory(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Param() { id }: UUIDParamDto, @Param() { id }: UUIDParamDto,
@ -38,12 +41,14 @@ export class MemoryController {
} }
@Delete(':id') @Delete(':id')
@Authenticated(Permission.MEMORY_DELETE)
@HttpCode(HttpStatus.NO_CONTENT) @HttpCode(HttpStatus.NO_CONTENT)
deleteMemory(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> { deleteMemory(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
return this.service.remove(auth, id); return this.service.remove(auth, id);
} }
@Put(':id/assets') @Put(':id/assets')
@Authenticated(Permission.MEMORY_ADD_ASSET)
addMemoryAssets( addMemoryAssets(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Param() { id }: UUIDParamDto, @Param() { id }: UUIDParamDto,
@ -53,6 +58,7 @@ export class MemoryController {
} }
@Delete(':id/assets') @Delete(':id/assets')
@Authenticated(Permission.MEMORY_REMOVE_ASSET)
@HttpCode(HttpStatus.OK) @HttpCode(HttpStatus.OK)
removeMemoryAssets( removeMemoryAssets(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,

9
server/src/controllers/oauth.controller.ts
View file

@ -9,19 +9,18 @@ import {
OAuthAuthorizeResponseDto, OAuthAuthorizeResponseDto,
OAuthCallbackDto, OAuthCallbackDto,
OAuthConfigDto, OAuthConfigDto,
Permission,
} from 'src/dtos/auth.dto'; } from 'src/dtos/auth.dto';
import { UserResponseDto } from 'src/dtos/user.dto'; import { UserResponseDto } from 'src/dtos/user.dto';
import { Auth, Authenticated, GetLoginDetails, PublicRoute } from 'src/middleware/auth.guard'; import { Auth, Authenticated, GetLoginDetails } from 'src/middleware/auth.guard';
import { AuthService, LoginDetails } from 'src/services/auth.service'; import { AuthService, LoginDetails } from 'src/services/auth.service';
import { respondWithCookie } from 'src/utils/response'; import { respondWithCookie } from 'src/utils/response';
@ApiTags('OAuth') @ApiTags('OAuth')
@Controller('oauth') @Controller('oauth')
@Authenticated()
export class OAuthController { export class OAuthController {
constructor(private service: AuthService) {} constructor(private service: AuthService) {}
@PublicRoute()
@Get('mobile-redirect') @Get('mobile-redirect')
@Redirect() @Redirect()
redirectOAuthToMobile(@Req() request: Request) { redirectOAuthToMobile(@Req() request: Request) {
@ -31,13 +30,11 @@ export class OAuthController {
}; };
} }
@PublicRoute()
@Post('authorize') @Post('authorize')
startOAuth(@Body() dto: OAuthConfigDto): Promise<OAuthAuthorizeResponseDto> { startOAuth(@Body() dto: OAuthConfigDto): Promise<OAuthAuthorizeResponseDto> {
return this.service.authorize(dto); return this.service.authorize(dto);
} }
@PublicRoute()
@Post('callback') @Post('callback')
async finishOAuth( async finishOAuth(
@Res({ passthrough: true }) res: Response, @Res({ passthrough: true }) res: Response,
@ -56,11 +53,13 @@ export class OAuthController {
} }
@Post('link') @Post('link')
@Authenticated(Permission.AUTH_OAUTH)
linkOAuthAccount(@Auth() auth: AuthDto, @Body() dto: OAuthCallbackDto): Promise<UserResponseDto> { linkOAuthAccount(@Auth() auth: AuthDto, @Body() dto: OAuthCallbackDto): Promise<UserResponseDto> {
return this.service.link(auth, dto); return this.service.link(auth, dto);
} }
@Post('unlink') @Post('unlink')
@Authenticated(Permission.AUTH_OAUTH)
unlinkOAuthAccount(@Auth() auth: AuthDto): Promise<UserResponseDto> { unlinkOAuthAccount(@Auth() auth: AuthDto): Promise<UserResponseDto> {
return this.service.unlink(auth); return this.service.unlink(auth);
} }

7
server/src/controllers/partner.controller.ts
View file

@ -1,6 +1,6 @@
import { Body, Controller, Delete, Get, Param, Post, Put, Query } from '@nestjs/common'; import { Body, Controller, Delete, Get, Param, Post, Put, Query } from '@nestjs/common';
import { ApiQuery, ApiTags } from '@nestjs/swagger'; import { ApiQuery, ApiTags } from '@nestjs/swagger';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, Permission } from 'src/dtos/auth.dto';
import { PartnerResponseDto, UpdatePartnerDto } from 'src/dtos/partner.dto'; import { PartnerResponseDto, UpdatePartnerDto } from 'src/dtos/partner.dto';
import { PartnerDirection } from 'src/interfaces/partner.interface'; import { PartnerDirection } from 'src/interfaces/partner.interface';
import { Auth, Authenticated } from 'src/middleware/auth.guard'; import { Auth, Authenticated } from 'src/middleware/auth.guard';
@ -9,11 +9,11 @@ import { UUIDParamDto } from 'src/validation';
@ApiTags('Partner') @ApiTags('Partner')
@Controller('partner') @Controller('partner')
@Authenticated()
export class PartnerController { export class PartnerController {
constructor(private service: PartnerService) {} constructor(private service: PartnerService) {}
@Get() @Get()
@Authenticated(Permission.PARTNER_READ)
@ApiQuery({ name: 'direction', type: 'string', enum: PartnerDirection, required: true }) @ApiQuery({ name: 'direction', type: 'string', enum: PartnerDirection, required: true })
// TODO: remove 'direction' and convert to full query dto // TODO: remove 'direction' and convert to full query dto
getPartners(@Auth() auth: AuthDto, @Query('direction') direction: PartnerDirection): Promise<PartnerResponseDto[]> { getPartners(@Auth() auth: AuthDto, @Query('direction') direction: PartnerDirection): Promise<PartnerResponseDto[]> {
@ -21,11 +21,13 @@ export class PartnerController {
} }
@Post(':id') @Post(':id')
@Authenticated(Permission.PARTNER_CREATE)
createPartner(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<PartnerResponseDto> { createPartner(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<PartnerResponseDto> {
return this.service.create(auth, id); return this.service.create(auth, id);
} }
@Put(':id') @Put(':id')
@Authenticated(Permission.PARTNER_UPDATE)
updatePartner( updatePartner(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Param() { id }: UUIDParamDto, @Param() { id }: UUIDParamDto,
@ -35,6 +37,7 @@ export class PartnerController {
} }
@Delete(':id') @Delete(':id')
@Authenticated(Permission.PARTNER_DELETE)
removePartner(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> { removePartner(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
return this.service.remove(auth, id); return this.service.remove(auth, id);
} }

13
server/src/controllers/person.controller.ts
View file

@ -3,7 +3,7 @@ import { ApiTags } from '@nestjs/swagger';
import { NextFunction, Response } from 'express'; import { NextFunction, Response } from 'express';
import { BulkIdResponseDto } from 'src/dtos/asset-ids.response.dto'; import { BulkIdResponseDto } from 'src/dtos/asset-ids.response.dto';
import { AssetResponseDto } from 'src/dtos/asset-response.dto'; import { AssetResponseDto } from 'src/dtos/asset-response.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, Permission } from 'src/dtos/auth.dto';
import { import {
AssetFaceUpdateDto, AssetFaceUpdateDto,
MergePersonDto, MergePersonDto,
@ -22,31 +22,35 @@ import { UUIDParamDto } from 'src/validation';
@ApiTags('Person') @ApiTags('Person')
@Controller('person') @Controller('person')
@Authenticated()
export class PersonController { export class PersonController {
constructor(private service: PersonService) {} constructor(private service: PersonService) {}
@Get() @Get()
@Authenticated(Permission.PERSON_READ)
getAllPeople(@Auth() auth: AuthDto, @Query() withHidden: PersonSearchDto): Promise<PeopleResponseDto> { getAllPeople(@Auth() auth: AuthDto, @Query() withHidden: PersonSearchDto): Promise<PeopleResponseDto> {
return this.service.getAll(auth, withHidden); return this.service.getAll(auth, withHidden);
} }
@Post() @Post()
@Authenticated(Permission.PERSON_CREATE)
createPerson(@Auth() auth: AuthDto, @Body() dto: PersonCreateDto): Promise<PersonResponseDto> { createPerson(@Auth() auth: AuthDto, @Body() dto: PersonCreateDto): Promise<PersonResponseDto> {
return this.service.create(auth, dto); return this.service.create(auth, dto);
} }
@Put() @Put()
@Authenticated(Permission.PERSON_UPDATE)
updatePeople(@Auth() auth: AuthDto, @Body() dto: PeopleUpdateDto): Promise<BulkIdResponseDto[]> { updatePeople(@Auth() auth: AuthDto, @Body() dto: PeopleUpdateDto): Promise<BulkIdResponseDto[]> {
return this.service.updateAll(auth, dto); return this.service.updateAll(auth, dto);
} }
@Get(':id') @Get(':id')
@Authenticated(Permission.PERSON_READ)
getPerson(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<PersonResponseDto> { getPerson(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<PersonResponseDto> {
return this.service.getById(auth, id); return this.service.getById(auth, id);
} }
@Put(':id') @Put(':id')
@Authenticated(Permission.PERSON_UPDATE)
updatePerson( updatePerson(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Param() { id }: UUIDParamDto, @Param() { id }: UUIDParamDto,
@ -56,11 +60,13 @@ export class PersonController {
} }
@Get(':id/statistics') @Get(':id/statistics')
@Authenticated(Permission.PERSON_READ)
getPersonStatistics(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<PersonStatisticsResponseDto> { getPersonStatistics(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<PersonStatisticsResponseDto> {
return this.service.getStatistics(auth, id); return this.service.getStatistics(auth, id);
} }
@Get(':id/thumbnail') @Get(':id/thumbnail')
@Authenticated(Permission.PERSON_READ)
@FileResponse() @FileResponse()
async getPersonThumbnail( async getPersonThumbnail(
@Res() res: Response, @Res() res: Response,
@ -72,11 +78,13 @@ export class PersonController {
} }
@Get(':id/assets') @Get(':id/assets')
@Authenticated(Permission.ASSET_READ)
getPersonAssets(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<AssetResponseDto[]> { getPersonAssets(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<AssetResponseDto[]> {
return this.service.getAssets(auth, id); return this.service.getAssets(auth, id);
} }
@Put(':id/reassign') @Put(':id/reassign')
@Authenticated(Permission.PERSON_UPDATE)
reassignFaces( reassignFaces(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Param() { id }: UUIDParamDto, @Param() { id }: UUIDParamDto,
@ -86,6 +94,7 @@ export class PersonController {
} }
@Post(':id/merge') @Post(':id/merge')
@Authenticated(Permission.PERSON_UPDATE)
mergePerson( mergePerson(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Param() { id }: UUIDParamDto, @Param() { id }: UUIDParamDto,

11
server/src/controllers/search.controller.ts
View file

@ -1,7 +1,7 @@
import { Body, Controller, Get, HttpCode, HttpStatus, Post, Query } from '@nestjs/common'; import { Body, Controller, Get, HttpCode, HttpStatus, Post, Query } from '@nestjs/common';
import { ApiOperation, ApiTags } from '@nestjs/swagger'; import { ApiOperation, ApiTags } from '@nestjs/swagger';
import { AssetResponseDto } from 'src/dtos/asset-response.dto'; import { AssetResponseDto } from 'src/dtos/asset-response.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, Permission } from 'src/dtos/auth.dto';
import { PersonResponseDto } from 'src/dtos/person.dto'; import { PersonResponseDto } from 'src/dtos/person.dto';
import { import {
MetadataSearchDto, MetadataSearchDto,
@ -19,49 +19,56 @@ import { SearchService } from 'src/services/search.service';
@ApiTags('Search') @ApiTags('Search')
@Controller('search') @Controller('search')
@Authenticated()
export class SearchController { export class SearchController {
constructor(private service: SearchService) {} constructor(private service: SearchService) {}
@Get() @Get()
@Authenticated(Permission.ASSET_READ)
@ApiOperation({ deprecated: true }) @ApiOperation({ deprecated: true })
search(@Auth() auth: AuthDto, @Query() dto: SearchDto): Promise<SearchResponseDto> { search(@Auth() auth: AuthDto, @Query() dto: SearchDto): Promise<SearchResponseDto> {
return this.service.search(auth, dto); return this.service.search(auth, dto);
} }
@Post('metadata') @Post('metadata')
@Authenticated(Permission.ASSET_READ)
@HttpCode(HttpStatus.OK) @HttpCode(HttpStatus.OK)
searchMetadata(@Auth() auth: AuthDto, @Body() dto: MetadataSearchDto): Promise<SearchResponseDto> { searchMetadata(@Auth() auth: AuthDto, @Body() dto: MetadataSearchDto): Promise<SearchResponseDto> {
return this.service.searchMetadata(auth, dto); return this.service.searchMetadata(auth, dto);
} }
@Post('smart') @Post('smart')
@Authenticated(Permission.ASSET_READ)
@HttpCode(HttpStatus.OK) @HttpCode(HttpStatus.OK)
searchSmart(@Auth() auth: AuthDto, @Body() dto: SmartSearchDto): Promise<SearchResponseDto> { searchSmart(@Auth() auth: AuthDto, @Body() dto: SmartSearchDto): Promise<SearchResponseDto> {
return this.service.searchSmart(auth, dto); return this.service.searchSmart(auth, dto);
} }
@Get('explore') @Get('explore')
@Authenticated(Permission.ASSET_READ)
getExploreData(@Auth() auth: AuthDto): Promise<SearchExploreResponseDto[]> { getExploreData(@Auth() auth: AuthDto): Promise<SearchExploreResponseDto[]> {
return this.service.getExploreData(auth) as Promise<SearchExploreResponseDto[]>; return this.service.getExploreData(auth) as Promise<SearchExploreResponseDto[]>;
} }
@Get('person') @Get('person')
@Authenticated(Permission.PERSON_READ)
searchPerson(@Auth() auth: AuthDto, @Query() dto: SearchPeopleDto): Promise<PersonResponseDto[]> { searchPerson(@Auth() auth: AuthDto, @Query() dto: SearchPeopleDto): Promise<PersonResponseDto[]> {
return this.service.searchPerson(auth, dto); return this.service.searchPerson(auth, dto);
} }
@Get('places') @Get('places')
@Authenticated(Permission.ASSET_READ)
searchPlaces(@Query() dto: SearchPlacesDto): Promise<PlacesResponseDto[]> { searchPlaces(@Query() dto: SearchPlacesDto): Promise<PlacesResponseDto[]> {
return this.service.searchPlaces(dto); return this.service.searchPlaces(dto);
} }
@Get('cities') @Get('cities')
@Authenticated(Permission.ASSET_READ)
getAssetsByCity(@Auth() auth: AuthDto): Promise<AssetResponseDto[]> { getAssetsByCity(@Auth() auth: AuthDto): Promise<AssetResponseDto[]> {
return this.service.getAssetsByCity(auth); return this.service.getAssetsByCity(auth);
} }
@Get('suggestions') @Get('suggestions')
@Authenticated(Permission.ASSET_READ)
getSearchSuggestions(@Auth() auth: AuthDto, @Query() dto: SearchSuggestionRequestDto): Promise<string[]> { getSearchSuggestions(@Auth() auth: AuthDto, @Query() dto: SearchSuggestionRequestDto): Promise<string[]> {
return this.service.getSearchSuggestions(auth, dto); return this.service.getSearchSuggestions(auth, dto);
} }

13
server/src/controllers/server-info.controller.ts
View file

@ -1,5 +1,6 @@
import { Controller, Get } from '@nestjs/common'; import { Controller, Get } from '@nestjs/common';
import { ApiTags } from '@nestjs/swagger'; import { ApiTags } from '@nestjs/swagger';
import { Permission } from 'src/dtos/auth.dto';
import { import {
ServerConfigDto, ServerConfigDto,
ServerFeaturesDto, ServerFeaturesDto,
@ -10,57 +11,51 @@ import {
ServerThemeDto, ServerThemeDto,
ServerVersionResponseDto, ServerVersionResponseDto,
} from 'src/dtos/server-info.dto'; } from 'src/dtos/server-info.dto';
import { AdminRoute, Authenticated, PublicRoute } from 'src/middleware/auth.guard'; import { Authenticated } from 'src/middleware/auth.guard';
import { ServerInfoService } from 'src/services/server-info.service'; import { ServerInfoService } from 'src/services/server-info.service';
@ApiTags('Server Info') @ApiTags('Server Info')
@Controller('server-info') @Controller('server-info')
@Authenticated()
export class ServerInfoController { export class ServerInfoController {
constructor(private service: ServerInfoService) {} constructor(private service: ServerInfoService) {}
@Get() @Get()
@Authenticated(Permission.SERVER_READ)
getServerInfo(): Promise<ServerInfoResponseDto> { getServerInfo(): Promise<ServerInfoResponseDto> {
return this.service.getInfo(); return this.service.getInfo();
} }
@PublicRoute()
@Get('ping') @Get('ping')
pingServer(): ServerPingResponse { pingServer(): ServerPingResponse {
return this.service.ping(); return this.service.ping();
} }
@PublicRoute()
@Get('version') @Get('version')
getServerVersion(): ServerVersionResponseDto { getServerVersion(): ServerVersionResponseDto {
return this.service.getVersion(); return this.service.getVersion();
} }
@PublicRoute()
@Get('features') @Get('features')
getServerFeatures(): Promise<ServerFeaturesDto> { getServerFeatures(): Promise<ServerFeaturesDto> {
return this.service.getFeatures(); return this.service.getFeatures();
} }
@PublicRoute()
@Get('theme') @Get('theme')
getTheme(): Promise<ServerThemeDto> { getTheme(): Promise<ServerThemeDto> {
return this.service.getTheme(); return this.service.getTheme();
} }
@PublicRoute()
@Get('config') @Get('config')
getServerConfig(): Promise<ServerConfigDto> { getServerConfig(): Promise<ServerConfigDto> {
return this.service.getConfig(); return this.service.getConfig();
} }
@AdminRoute()
@Get('statistics') @Get('statistics')
@Authenticated(Permission.SERVER_READ)
getServerStatistics(): Promise<ServerStatsResponseDto> { getServerStatistics(): Promise<ServerStatsResponseDto> {
return this.service.getStatistics(); return this.service.getStatistics();
} }
@PublicRoute()
@Get('media-types') @Get('media-types')
getSupportedMediaTypes(): ServerMediaTypesResponseDto { getSupportedMediaTypes(): ServerMediaTypesResponseDto {
return this.service.getSupportedMediaTypes(); return this.service.getSupportedMediaTypes();

6
server/src/controllers/session.controller.ts
View file

@ -1,6 +1,6 @@
import { Controller, Delete, Get, HttpCode, HttpStatus, Param } from '@nestjs/common'; import { Controller, Delete, Get, HttpCode, HttpStatus, Param } from '@nestjs/common';
import { ApiTags } from '@nestjs/swagger'; import { ApiTags } from '@nestjs/swagger';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, Permission } from 'src/dtos/auth.dto';
import { SessionResponseDto } from 'src/dtos/session.dto'; import { SessionResponseDto } from 'src/dtos/session.dto';
import { Auth, Authenticated } from 'src/middleware/auth.guard'; import { Auth, Authenticated } from 'src/middleware/auth.guard';
import { SessionService } from 'src/services/session.service'; import { SessionService } from 'src/services/session.service';
@ -8,22 +8,24 @@ import { UUIDParamDto } from 'src/validation';
@ApiTags('Sessions') @ApiTags('Sessions')
@Controller('sessions') @Controller('sessions')
@Authenticated()
export class SessionController { export class SessionController {
constructor(private service: SessionService) {} constructor(private service: SessionService) {}
@Get() @Get()
@Authenticated(Permission.SESSION_READ)
getSessions(@Auth() auth: AuthDto): Promise<SessionResponseDto[]> { getSessions(@Auth() auth: AuthDto): Promise<SessionResponseDto[]> {
return this.service.getAll(auth); return this.service.getAll(auth);
} }
@Delete() @Delete()
@Authenticated(Permission.SESSION_DELETE)
@HttpCode(HttpStatus.NO_CONTENT) @HttpCode(HttpStatus.NO_CONTENT)
deleteAllSessions(@Auth() auth: AuthDto): Promise<void> { deleteAllSessions(@Auth() auth: AuthDto): Promise<void> {
return this.service.deleteAll(auth); return this.service.deleteAll(auth);
} }
@Delete(':id') @Delete(':id')
@Authenticated(Permission.SESSION_DELETE)
@HttpCode(HttpStatus.NO_CONTENT) @HttpCode(HttpStatus.NO_CONTENT)
deleteSession(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> { deleteSession(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
return this.service.delete(auth, id); return this.service.delete(auth, id);

16
server/src/controllers/shared-link.controller.ts
View file

@ -3,14 +3,14 @@ import { ApiTags } from '@nestjs/swagger';
import { Request, Response } from 'express'; import { Request, Response } from 'express';
import { AssetIdsResponseDto } from 'src/dtos/asset-ids.response.dto'; import { AssetIdsResponseDto } from 'src/dtos/asset-ids.response.dto';
import { AssetIdsDto } from 'src/dtos/asset.dto'; import { AssetIdsDto } from 'src/dtos/asset.dto';
import { AuthDto, ImmichCookie } from 'src/dtos/auth.dto'; import { AuthDto, ImmichCookie, Permission } from 'src/dtos/auth.dto';
import { import {
SharedLinkCreateDto, SharedLinkCreateDto,
SharedLinkEditDto, SharedLinkEditDto,
SharedLinkPasswordDto, SharedLinkPasswordDto,
SharedLinkResponseDto, SharedLinkResponseDto,
} from 'src/dtos/shared-link.dto'; } from 'src/dtos/shared-link.dto';
import { Auth, Authenticated, GetLoginDetails, SharedLinkRoute } from 'src/middleware/auth.guard'; import { Auth, Authenticated, GetLoginDetails } from 'src/middleware/auth.guard';
import { LoginDetails } from 'src/services/auth.service'; import { LoginDetails } from 'src/services/auth.service';
import { SharedLinkService } from 'src/services/shared-link.service'; import { SharedLinkService } from 'src/services/shared-link.service';
import { respondWithCookie } from 'src/utils/response'; import { respondWithCookie } from 'src/utils/response';
@ -18,17 +18,17 @@ import { UUIDParamDto } from 'src/validation';
@ApiTags('Shared Link') @ApiTags('Shared Link')
@Controller('shared-link') @Controller('shared-link')
@Authenticated()
export class SharedLinkController { export class SharedLinkController {
constructor(private service: SharedLinkService) {} constructor(private service: SharedLinkService) {}
@Get() @Get()
@Authenticated(Permission.SHARED_LINK_READ)
getAllSharedLinks(@Auth() auth: AuthDto): Promise<SharedLinkResponseDto[]> { getAllSharedLinks(@Auth() auth: AuthDto): Promise<SharedLinkResponseDto[]> {
return this.service.getAll(auth); return this.service.getAll(auth);
} }
@SharedLinkRoute()
@Get('me') @Get('me')
@Authenticated(Permission.SHARED_LINK_READ, { sharedLink: true })
async getMySharedLink( async getMySharedLink(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Query() dto: SharedLinkPasswordDto, @Query() dto: SharedLinkPasswordDto,
@ -48,16 +48,19 @@ export class SharedLinkController {
} }
@Get(':id') @Get(':id')
@Authenticated(Permission.SHARED_LINK_READ)
getSharedLinkById(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<SharedLinkResponseDto> { getSharedLinkById(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<SharedLinkResponseDto> {
return this.service.get(auth, id); return this.service.get(auth, id);
} }
@Post() @Post()
@Authenticated(Permission.SHARED_LINK_CREATE)
createSharedLink(@Auth() auth: AuthDto, @Body() dto: SharedLinkCreateDto) { createSharedLink(@Auth() auth: AuthDto, @Body() dto: SharedLinkCreateDto) {
return this.service.create(auth, dto); return this.service.create(auth, dto);
} }
@Patch(':id') @Patch(':id')
@Authenticated(Permission.SHARED_LINK_UPDATE)
updateSharedLink( updateSharedLink(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Param() { id }: UUIDParamDto, @Param() { id }: UUIDParamDto,
@ -67,12 +70,13 @@ export class SharedLinkController {
} }
@Delete(':id') @Delete(':id')
@Authenticated(Permission.SHARED_LINK_DELETE)
removeSharedLink(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> { removeSharedLink(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
return this.service.remove(auth, id); return this.service.remove(auth, id);
} }
@SharedLinkRoute()
@Put(':id/assets') @Put(':id/assets')
@Authenticated(Permission.SHARED_LINK_UPDATE, { sharedLink: true })
addSharedLinkAssets( addSharedLinkAssets(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Param() { id }: UUIDParamDto, @Param() { id }: UUIDParamDto,
@ -81,8 +85,8 @@ export class SharedLinkController {
return this.service.addAssets(auth, id, dto); return this.service.addAssets(auth, id, dto);
} }
@SharedLinkRoute()
@Delete(':id/assets') @Delete(':id/assets')
@Authenticated(Permission.SHARED_LINK_DELETE, { sharedLink: true })
removeSharedLinkAssets( removeSharedLinkAssets(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Param() { id }: UUIDParamDto, @Param() { id }: UUIDParamDto,

5
server/src/controllers/sync.controller.ts
View file

@ -1,23 +1,24 @@
import { Controller, Get, Query } from '@nestjs/common'; import { Controller, Get, Query } from '@nestjs/common';
import { ApiTags } from '@nestjs/swagger'; import { ApiTags } from '@nestjs/swagger';
import { AssetResponseDto } from 'src/dtos/asset-response.dto'; import { AssetResponseDto } from 'src/dtos/asset-response.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, Permission } from 'src/dtos/auth.dto';
import { AssetDeltaSyncDto, AssetDeltaSyncResponseDto, AssetFullSyncDto } from 'src/dtos/sync.dto'; import { AssetDeltaSyncDto, AssetDeltaSyncResponseDto, AssetFullSyncDto } from 'src/dtos/sync.dto';
import { Auth, Authenticated } from 'src/middleware/auth.guard'; import { Auth, Authenticated } from 'src/middleware/auth.guard';
import { SyncService } from 'src/services/sync.service'; import { SyncService } from 'src/services/sync.service';
@ApiTags('Sync') @ApiTags('Sync')
@Controller('sync') @Controller('sync')
@Authenticated()
export class SyncController { export class SyncController {
constructor(private service: SyncService) {} constructor(private service: SyncService) {}
@Get('full-sync') @Get('full-sync')
@Authenticated(Permission.ASSET_READ)
getAllForUserFullSync(@Auth() auth: AuthDto, @Query() dto: AssetFullSyncDto): Promise<AssetResponseDto[]> { getAllForUserFullSync(@Auth() auth: AuthDto, @Query() dto: AssetFullSyncDto): Promise<AssetResponseDto[]> {
return this.service.getAllAssetsForUserFullSync(auth, dto); return this.service.getAllAssetsForUserFullSync(auth, dto);
} }
@Get('delta-sync') @Get('delta-sync')
@Authenticated(Permission.ASSET_READ)
getDeltaSync(@Auth() auth: AuthDto, @Query() dto: AssetDeltaSyncDto): Promise<AssetDeltaSyncResponseDto> { getDeltaSync(@Auth() auth: AuthDto, @Query() dto: AssetDeltaSyncDto): Promise<AssetDeltaSyncResponseDto> {
return this.service.getChangesForDeltaSync(auth, dto); return this.service.getChangesForDeltaSync(auth, dto);
} }

11
server/src/controllers/system-config.controller.ts
View file

@ -1,38 +1,41 @@
import { Body, Controller, Get, Put, Query } from '@nestjs/common'; import { Body, Controller, Get, Put, Query } from '@nestjs/common';
import { ApiTags } from '@nestjs/swagger'; import { ApiTags } from '@nestjs/swagger';
import { Permission } from 'src/dtos/auth.dto';
import { MapThemeDto, SystemConfigDto, SystemConfigTemplateStorageOptionDto } from 'src/dtos/system-config.dto'; import { MapThemeDto, SystemConfigDto, SystemConfigTemplateStorageOptionDto } from 'src/dtos/system-config.dto';
import { AdminRoute, Authenticated, SharedLinkRoute } from 'src/middleware/auth.guard'; import { Authenticated } from 'src/middleware/auth.guard';
import { SystemConfigService } from 'src/services/system-config.service'; import { SystemConfigService } from 'src/services/system-config.service';
@ApiTags('System Config') @ApiTags('System Config')
@Controller('system-config') @Controller('system-config')
@Authenticated({ admin: true })
export class SystemConfigController { export class SystemConfigController {
constructor(private service: SystemConfigService) {} constructor(private service: SystemConfigService) {}
@Get() @Get()
@Authenticated(Permission.SYSTEM_CONFIG_READ)
getConfig(): Promise<SystemConfigDto> { getConfig(): Promise<SystemConfigDto> {
return this.service.getConfig(); return this.service.getConfig();
} }
@Get('defaults') @Get('defaults')
@Authenticated(Permission.SYSTEM_CONFIG_READ)
getConfigDefaults(): SystemConfigDto { getConfigDefaults(): SystemConfigDto {
return this.service.getDefaults(); return this.service.getDefaults();
} }
@Put() @Put()
@Authenticated(Permission.SYSTEM_CONFIG_UPDATE)
updateConfig(@Body() dto: SystemConfigDto): Promise<SystemConfigDto> { updateConfig(@Body() dto: SystemConfigDto): Promise<SystemConfigDto> {
return this.service.updateConfig(dto); return this.service.updateConfig(dto);
} }
@Get('storage-template-options') @Get('storage-template-options')
@Authenticated(Permission.SYSTEM_CONFIG_READ)
getStorageTemplateOptions(): SystemConfigTemplateStorageOptionDto { getStorageTemplateOptions(): SystemConfigTemplateStorageOptionDto {
return this.service.getStorageTemplateOptions(); return this.service.getStorageTemplateOptions();
} }
@AdminRoute(false)
@SharedLinkRoute()
@Get('map/style.json') @Get('map/style.json')
@Authenticated(Permission.MAP_READ, { sharedLink: true })
getMapStyle(@Query() dto: MapThemeDto) { getMapStyle(@Query() dto: MapThemeDto) {
return this.service.getMapStyle(dto.theme); return this.service.getMapStyle(dto.theme);
} }

5
server/src/controllers/system-metadata.controller.ts
View file

@ -1,27 +1,30 @@
import { Body, Controller, Get, HttpCode, HttpStatus, Post } from '@nestjs/common'; import { Body, Controller, Get, HttpCode, HttpStatus, Post } from '@nestjs/common';
import { ApiTags } from '@nestjs/swagger'; import { ApiTags } from '@nestjs/swagger';
import { Permission } from 'src/dtos/auth.dto';
import { AdminOnboardingUpdateDto, ReverseGeocodingStateResponseDto } from 'src/dtos/system-metadata.dto'; import { AdminOnboardingUpdateDto, ReverseGeocodingStateResponseDto } from 'src/dtos/system-metadata.dto';
import { Authenticated } from 'src/middleware/auth.guard'; import { Authenticated } from 'src/middleware/auth.guard';
import { SystemMetadataService } from 'src/services/system-metadata.service'; import { SystemMetadataService } from 'src/services/system-metadata.service';
@ApiTags('System Metadata') @ApiTags('System Metadata')
@Controller('system-metadata') @Controller('system-metadata')
@Authenticated({ admin: true })
export class SystemMetadataController { export class SystemMetadataController {
constructor(private service: SystemMetadataService) {} constructor(private service: SystemMetadataService) {}
@Get('admin-onboarding') @Get('admin-onboarding')
@Authenticated(Permission.SYSTEM_METADATA_READ)
getAdminOnboarding(): Promise<AdminOnboardingUpdateDto> { getAdminOnboarding(): Promise<AdminOnboardingUpdateDto> {
return this.service.getAdminOnboarding(); return this.service.getAdminOnboarding();
} }
@Post('admin-onboarding') @Post('admin-onboarding')
@Authenticated(Permission.SYSTEM_METADATA_UPDATE)
@HttpCode(HttpStatus.NO_CONTENT) @HttpCode(HttpStatus.NO_CONTENT)
updateAdminOnboarding(@Body() dto: AdminOnboardingUpdateDto): Promise<void> { updateAdminOnboarding(@Body() dto: AdminOnboardingUpdateDto): Promise<void> {
return this.service.updateAdminOnboarding(dto); return this.service.updateAdminOnboarding(dto);
} }
@Get('reverse-geocoding-state') @Get('reverse-geocoding-state')
@Authenticated(Permission.SYSTEM_METADATA_READ)
getReverseGeocodingState(): Promise<ReverseGeocodingStateResponseDto> { getReverseGeocodingState(): Promise<ReverseGeocodingStateResponseDto> {
return this.service.getReverseGeocodingState(); return this.service.getReverseGeocodingState();
} }

11
server/src/controllers/tag.controller.ts
View file

@ -3,7 +3,7 @@ import { ApiTags } from '@nestjs/swagger';
import { AssetIdsResponseDto } from 'src/dtos/asset-ids.response.dto'; import { AssetIdsResponseDto } from 'src/dtos/asset-ids.response.dto';
import { AssetResponseDto } from 'src/dtos/asset-response.dto'; import { AssetResponseDto } from 'src/dtos/asset-response.dto';
import { AssetIdsDto } from 'src/dtos/asset.dto'; import { AssetIdsDto } from 'src/dtos/asset.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, Permission } from 'src/dtos/auth.dto';
import { CreateTagDto, TagResponseDto, UpdateTagDto } from 'src/dtos/tag.dto'; import { CreateTagDto, TagResponseDto, UpdateTagDto } from 'src/dtos/tag.dto';
import { Auth, Authenticated } from 'src/middleware/auth.guard'; import { Auth, Authenticated } from 'src/middleware/auth.guard';
import { TagService } from 'src/services/tag.service'; import { TagService } from 'src/services/tag.service';
@ -11,41 +11,47 @@ import { UUIDParamDto } from 'src/validation';
@ApiTags('Tag') @ApiTags('Tag')
@Controller('tag') @Controller('tag')
@Authenticated()
export class TagController { export class TagController {
constructor(private service: TagService) {} constructor(private service: TagService) {}
@Post() @Post()
@Authenticated(Permission.TAG_CREATE)
createTag(@Auth() auth: AuthDto, @Body() dto: CreateTagDto): Promise<TagResponseDto> { createTag(@Auth() auth: AuthDto, @Body() dto: CreateTagDto): Promise<TagResponseDto> {
return this.service.create(auth, dto); return this.service.create(auth, dto);
} }
@Get() @Get()
@Authenticated(Permission.TAG_READ)
getAllTags(@Auth() auth: AuthDto): Promise<TagResponseDto[]> { getAllTags(@Auth() auth: AuthDto): Promise<TagResponseDto[]> {
return this.service.getAll(auth); return this.service.getAll(auth);
} }
@Get(':id') @Get(':id')
@Authenticated(Permission.TAG_READ)
getTagById(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<TagResponseDto> { getTagById(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<TagResponseDto> {
return this.service.getById(auth, id); return this.service.getById(auth, id);
} }
@Patch(':id') @Patch(':id')
@Authenticated(Permission.TAG_UPDATE)
updateTag(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto, @Body() dto: UpdateTagDto): Promise<TagResponseDto> { updateTag(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto, @Body() dto: UpdateTagDto): Promise<TagResponseDto> {
return this.service.update(auth, id, dto); return this.service.update(auth, id, dto);
} }
@Delete(':id') @Delete(':id')
@Authenticated(Permission.TAG_DELETE)
deleteTag(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> { deleteTag(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
return this.service.remove(auth, id); return this.service.remove(auth, id);
} }
@Get(':id/assets') @Get(':id/assets')
@Authenticated(Permission.TAG_READ)
getTagAssets(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<AssetResponseDto[]> { getTagAssets(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<AssetResponseDto[]> {
return this.service.getAssets(auth, id); return this.service.getAssets(auth, id);
} }
@Put(':id/assets') @Put(':id/assets')
@Authenticated(Permission.TAG_UPDATE)
tagAssets( tagAssets(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Param() { id }: UUIDParamDto, @Param() { id }: UUIDParamDto,
@ -55,6 +61,7 @@ export class TagController {
} }
@Delete(':id/assets') @Delete(':id/assets')
@Authenticated(Permission.TAG_UPDATE)
untagAssets( untagAssets(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Body() dto: AssetIdsDto, @Body() dto: AssetIdsDto,

7
server/src/controllers/timeline.controller.ts
View file

@ -1,24 +1,23 @@
import { Controller, Get, Query } from '@nestjs/common'; import { Controller, Get, Query } from '@nestjs/common';
import { ApiTags } from '@nestjs/swagger'; import { ApiTags } from '@nestjs/swagger';
import { AssetResponseDto } from 'src/dtos/asset-response.dto'; import { AssetResponseDto } from 'src/dtos/asset-response.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, Permission } from 'src/dtos/auth.dto';
import { TimeBucketAssetDto, TimeBucketDto, TimeBucketResponseDto } from 'src/dtos/time-bucket.dto'; import { TimeBucketAssetDto, TimeBucketDto, TimeBucketResponseDto } from 'src/dtos/time-bucket.dto';
import { Auth, Authenticated } from 'src/middleware/auth.guard'; import { Auth, Authenticated } from 'src/middleware/auth.guard';
import { TimelineService } from 'src/services/timeline.service'; import { TimelineService } from 'src/services/timeline.service';
@ApiTags('Timeline') @ApiTags('Timeline')
@Controller('timeline') @Controller('timeline')
@Authenticated()
export class TimelineController { export class TimelineController {
constructor(private service: TimelineService) {} constructor(private service: TimelineService) {}
@Authenticated({ isShared: true }) @Authenticated(Permission.ASSET_READ, { sharedLink: true })
@Get('buckets') @Get('buckets')
getTimeBuckets(@Auth() auth: AuthDto, @Query() dto: TimeBucketDto): Promise<TimeBucketResponseDto[]> { getTimeBuckets(@Auth() auth: AuthDto, @Query() dto: TimeBucketDto): Promise<TimeBucketResponseDto[]> {
return this.service.getTimeBuckets(auth, dto); return this.service.getTimeBuckets(auth, dto);
} }
@Authenticated({ isShared: true }) @Authenticated(Permission.ASSET_READ, { sharedLink: true })
@Get('bucket') @Get('bucket')
getTimeBucket(@Auth() auth: AuthDto, @Query() dto: TimeBucketAssetDto): Promise<AssetResponseDto[]> { getTimeBucket(@Auth() auth: AuthDto, @Query() dto: TimeBucketAssetDto): Promise<AssetResponseDto[]> {
return this.service.getTimeBucket(auth, dto) as Promise<AssetResponseDto[]>; return this.service.getTimeBucket(auth, dto) as Promise<AssetResponseDto[]>;

6
server/src/controllers/trash.controller.ts
View file

@ -1,29 +1,31 @@
import { Body, Controller, HttpCode, HttpStatus, Post } from '@nestjs/common'; import { Body, Controller, HttpCode, HttpStatus, Post } from '@nestjs/common';
import { ApiTags } from '@nestjs/swagger'; import { ApiTags } from '@nestjs/swagger';
import { BulkIdsDto } from 'src/dtos/asset-ids.response.dto'; import { BulkIdsDto } from 'src/dtos/asset-ids.response.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, Permission } from 'src/dtos/auth.dto';
import { Auth, Authenticated } from 'src/middleware/auth.guard'; import { Auth, Authenticated } from 'src/middleware/auth.guard';
import { TrashService } from 'src/services/trash.service'; import { TrashService } from 'src/services/trash.service';
@ApiTags('Trash') @ApiTags('Trash')
@Controller('trash') @Controller('trash')
@Authenticated()
export class TrashController { export class TrashController {
constructor(private service: TrashService) {} constructor(private service: TrashService) {}
@Post('empty') @Post('empty')
@Authenticated(Permission.ASSET_DELETE)
@HttpCode(HttpStatus.NO_CONTENT) @HttpCode(HttpStatus.NO_CONTENT)
emptyTrash(@Auth() auth: AuthDto): Promise<void> { emptyTrash(@Auth() auth: AuthDto): Promise<void> {
return this.service.empty(auth); return this.service.empty(auth);
} }
@Post('restore') @Post('restore')
@Authenticated(Permission.ASSET_DELETE)
@HttpCode(HttpStatus.NO_CONTENT) @HttpCode(HttpStatus.NO_CONTENT)
restoreTrash(@Auth() auth: AuthDto): Promise<void> { restoreTrash(@Auth() auth: AuthDto): Promise<void> {
return this.service.restore(auth); return this.service.restore(auth);
} }
@Post('restore/assets') @Post('restore/assets')
@Authenticated(Permission.ASSET_DELETE)
@HttpCode(HttpStatus.NO_CONTENT) @HttpCode(HttpStatus.NO_CONTENT)
restoreAssets(@Auth() auth: AuthDto, @Body() dto: BulkIdsDto): Promise<void> { restoreAssets(@Auth() auth: AuthDto, @Body() dto: BulkIdsDto): Promise<void> {
return this.service.restoreAssets(auth, dto); return this.service.restoreAssets(auth, dto);

18
server/src/controllers/user.controller.ts
View file

@ -16,10 +16,10 @@ import {
} from '@nestjs/common'; } from '@nestjs/common';
import { ApiBody, ApiConsumes, ApiTags } from '@nestjs/swagger'; import { ApiBody, ApiConsumes, ApiTags } from '@nestjs/swagger';
import { NextFunction, Response } from 'express'; import { NextFunction, Response } from 'express';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, Permission } from 'src/dtos/auth.dto';
import { CreateProfileImageDto, CreateProfileImageResponseDto } from 'src/dtos/user-profile.dto'; import { CreateProfileImageDto, CreateProfileImageResponseDto } from 'src/dtos/user-profile.dto';
import { CreateUserDto, DeleteUserDto, UpdateUserDto, UserResponseDto } from 'src/dtos/user.dto'; import { CreateUserDto, DeleteUserDto, UpdateUserDto, UserResponseDto } from 'src/dtos/user.dto';
import { AdminRoute, Auth, Authenticated, FileResponse } from 'src/middleware/auth.guard'; import { Auth, Authenticated, FileResponse } from 'src/middleware/auth.guard';
import { FileUploadInterceptor, Route } from 'src/middleware/file-upload.interceptor'; import { FileUploadInterceptor, Route } from 'src/middleware/file-upload.interceptor';
import { UserService } from 'src/services/user.service'; import { UserService } from 'src/services/user.service';
import { sendFile } from 'src/utils/file'; import { sendFile } from 'src/utils/file';
@ -27,39 +27,42 @@ import { UUIDParamDto } from 'src/validation';
@ApiTags('User') @ApiTags('User')
@Controller(Route.USER) @Controller(Route.USER)
@Authenticated()
export class UserController { export class UserController {
constructor(private service: UserService) {} constructor(private service: UserService) {}
@Get() @Get()
@Authenticated(Permission.USER_READ)
getAllUsers(@Auth() auth: AuthDto, @Query('isAll') isAll: boolean): Promise<UserResponseDto[]> { getAllUsers(@Auth() auth: AuthDto, @Query('isAll') isAll: boolean): Promise<UserResponseDto[]> {
return this.service.getAll(auth, isAll); return this.service.getAll(auth, isAll);
} }
@Get('info/:id') @Get('info/:id')
@Authenticated(Permission.USER_READ)
getUserById(@Param() { id }: UUIDParamDto): Promise<UserResponseDto> { getUserById(@Param() { id }: UUIDParamDto): Promise<UserResponseDto> {
return this.service.get(id); return this.service.get(id);
} }
@Get('me') @Get('me')
@Authenticated(Permission.USER_READ)
getMyUserInfo(@Auth() auth: AuthDto): Promise<UserResponseDto> { getMyUserInfo(@Auth() auth: AuthDto): Promise<UserResponseDto> {
return this.service.getMe(auth); return this.service.getMe(auth);
} }
@AdminRoute()
@Post() @Post()
@Authenticated(Permission.USER_CREATE)
createUser(@Body() createUserDto: CreateUserDto): Promise<UserResponseDto> { createUser(@Body() createUserDto: CreateUserDto): Promise<UserResponseDto> {
return this.service.create(createUserDto); return this.service.create(createUserDto);
} }
@Delete('profile-image') @Delete('profile-image')
@Authenticated(Permission.USER_UPDATE)
@HttpCode(HttpStatus.NO_CONTENT) @HttpCode(HttpStatus.NO_CONTENT)
deleteProfileImage(@Auth() auth: AuthDto): Promise<void> { deleteProfileImage(@Auth() auth: AuthDto): Promise<void> {
return this.service.deleteProfileImage(auth); return this.service.deleteProfileImage(auth);
} }
@AdminRoute()
@Delete(':id') @Delete(':id')
@Authenticated(Permission.USER_DELETE)
deleteUser( deleteUser(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@Param() { id }: UUIDParamDto, @Param() { id }: UUIDParamDto,
@ -68,14 +71,15 @@ export class UserController {
return this.service.delete(auth, id, dto); return this.service.delete(auth, id, dto);
} }
@AdminRoute()
@Post(':id/restore') @Post(':id/restore')
@Authenticated(Permission.USER_DELETE)
restoreUser(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<UserResponseDto> { restoreUser(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<UserResponseDto> {
return this.service.restore(auth, id); return this.service.restore(auth, id);
} }
// TODO: replace with @Put(':id') // TODO: replace with @Put(':id')
@Put() @Put()
@Authenticated(Permission.USER_UPDATE)
updateUser(@Auth() auth: AuthDto, @Body() updateUserDto: UpdateUserDto): Promise<UserResponseDto> { updateUser(@Auth() auth: AuthDto, @Body() updateUserDto: UpdateUserDto): Promise<UserResponseDto> {
return this.service.update(auth, updateUserDto); return this.service.update(auth, updateUserDto);
} }
@ -84,6 +88,7 @@ export class UserController {
@ApiConsumes('multipart/form-data') @ApiConsumes('multipart/form-data')
@ApiBody({ description: 'A new avatar for the user', type: CreateProfileImageDto }) @ApiBody({ description: 'A new avatar for the user', type: CreateProfileImageDto })
@Post('profile-image') @Post('profile-image')
@Authenticated(Permission.USER_UPDATE)
createProfileImage( createProfileImage(
@Auth() auth: AuthDto, @Auth() auth: AuthDto,
@UploadedFile() fileInfo: Express.Multer.File, @UploadedFile() fileInfo: Express.Multer.File,
@ -92,6 +97,7 @@ export class UserController {
} }
@Get('profile-image/:id') @Get('profile-image/:id')
@Authenticated(Permission.USER_READ)
@FileResponse() @FileResponse()
async getProfileImage(@Res() res: Response, @Next() next: NextFunction, @Param() { id }: UUIDParamDto) { async getProfileImage(@Res() res: Response, @Next() next: NextFunction, @Param() { id }: UUIDParamDto) {
await sendFile(res, next, () => this.service.getProfileImage(id)); await sendFile(res, next, () => this.service.getProfileImage(id));

82
server/src/cores/access.core.ts
View file

@ -4,7 +4,7 @@ import { SharedLinkEntity } from 'src/entities/shared-link.entity';
import { IAccessRepository } from 'src/interfaces/access.interface'; import { IAccessRepository } from 'src/interfaces/access.interface';
import { setDifference, setIsEqual, setUnion } from 'src/utils/set'; import { setDifference, setIsEqual, setUnion } from 'src/utils/set';
export enum Permission { export enum AccessPermission {
ACTIVITY_CREATE = 'activity.create', ACTIVITY_CREATE = 'activity.create',
ACTIVITY_DELETE = 'activity.delete', ACTIVITY_DELETE = 'activity.delete',
@ -74,7 +74,7 @@ export class AccessCore {
* Check if user has access to all ids, for the given permission. * Check if user has access to all ids, for the given permission.
* Throws error if user does not have access to any of the ids. * Throws error if user does not have access to any of the ids.
*/ */
async requirePermission(auth: AuthDto, permission: Permission, ids: string[] | string) { async requirePermission(auth: AuthDto, permission: AccessPermission, ids: string[] | string) {
ids = Array.isArray(ids) ? ids : [ids]; ids = Array.isArray(ids) ? ids : [ids];
const allowedIds = await this.checkAccess(auth, permission, ids); const allowedIds = await this.checkAccess(auth, permission, ids);
if (!setIsEqual(new Set(ids), allowedIds)) { if (!setIsEqual(new Set(ids), allowedIds)) {
@ -88,7 +88,7 @@ export class AccessCore {
* *
* @returns Set<string> * @returns Set<string>
*/ */
async checkAccess(auth: AuthDto, permission: Permission, ids: Set<string> | string[]): Promise<Set<string>> { async checkAccess(auth: AuthDto, permission: AccessPermission, ids: Set<string> | string[]): Promise<Set<string>> {
const idSet = Array.isArray(ids) ? new Set(ids) : ids; const idSet = Array.isArray(ids) ? new Set(ids) : ids;
if (idSet.size === 0) { if (idSet.size === 0) {
return new Set(); return new Set();
@ -103,40 +103,40 @@ export class AccessCore {
private async checkAccessSharedLink( private async checkAccessSharedLink(
sharedLink: SharedLinkEntity, sharedLink: SharedLinkEntity,
permission: Permission, permission: AccessPermission,
ids: Set<string>, ids: Set<string>,
): Promise<Set<string>> { ): Promise<Set<string>> {
const sharedLinkId = sharedLink.id; const sharedLinkId = sharedLink.id;
switch (permission) { switch (permission) {
case Permission.ASSET_READ: { case AccessPermission.ASSET_READ: {
return await this.repository.asset.checkSharedLinkAccess(sharedLinkId, ids); return await this.repository.asset.checkSharedLinkAccess(sharedLinkId, ids);
} }
case Permission.ASSET_VIEW: { case AccessPermission.ASSET_VIEW: {
return await this.repository.asset.checkSharedLinkAccess(sharedLinkId, ids); return await this.repository.asset.checkSharedLinkAccess(sharedLinkId, ids);
} }
case Permission.ASSET_DOWNLOAD: { case AccessPermission.ASSET_DOWNLOAD: {
return sharedLink.allowDownload return sharedLink.allowDownload
? await this.repository.asset.checkSharedLinkAccess(sharedLinkId, ids) ? await this.repository.asset.checkSharedLinkAccess(sharedLinkId, ids)
: new Set(); : new Set();
} }
case Permission.ASSET_UPLOAD: { case AccessPermission.ASSET_UPLOAD: {
return sharedLink.allowUpload ? ids : new Set(); return sharedLink.allowUpload ? ids : new Set();
} }
case Permission.ASSET_SHARE: { case AccessPermission.ASSET_SHARE: {
// TODO: fix this to not use sharedLink.userId for access control // TODO: fix this to not use sharedLink.userId for access control
return await this.repository.asset.checkOwnerAccess(sharedLink.userId, ids); return await this.repository.asset.checkOwnerAccess(sharedLink.userId, ids);
} }
case Permission.ALBUM_READ: { case AccessPermission.ALBUM_READ: {
return await this.repository.album.checkSharedLinkAccess(sharedLinkId, ids); return await this.repository.album.checkSharedLinkAccess(sharedLinkId, ids);
} }
case Permission.ALBUM_DOWNLOAD: { case AccessPermission.ALBUM_DOWNLOAD: {
return sharedLink.allowDownload return sharedLink.allowDownload
? await this.repository.album.checkSharedLinkAccess(sharedLinkId, ids) ? await this.repository.album.checkSharedLinkAccess(sharedLinkId, ids)
: new Set(); : new Set();
@ -148,15 +148,15 @@ export class AccessCore {
} }
} }
private async checkAccessOther(auth: AuthDto, permission: Permission, ids: Set<string>): Promise<Set<string>> { private async checkAccessOther(auth: AuthDto, permission: AccessPermission, ids: Set<string>): Promise<Set<string>> {
switch (permission) { switch (permission) {
// uses album id // uses album id
case Permission.ACTIVITY_CREATE: { case AccessPermission.ACTIVITY_CREATE: {
return await this.repository.activity.checkCreateAccess(auth.user.id, ids); return await this.repository.activity.checkCreateAccess(auth.user.id, ids);
} }
// uses activity id // uses activity id
case Permission.ACTIVITY_DELETE: { case AccessPermission.ACTIVITY_DELETE: {
const isOwner = await this.repository.activity.checkOwnerAccess(auth.user.id, ids); const isOwner = await this.repository.activity.checkOwnerAccess(auth.user.id, ids);
const isAlbumOwner = await this.repository.activity.checkAlbumOwnerAccess( const isAlbumOwner = await this.repository.activity.checkAlbumOwnerAccess(
auth.user.id, auth.user.id,
@ -165,7 +165,7 @@ export class AccessCore {
return setUnion(isOwner, isAlbumOwner); return setUnion(isOwner, isAlbumOwner);
} }
case Permission.ASSET_READ: { case AccessPermission.ASSET_READ: {
const isOwner = await this.repository.asset.checkOwnerAccess(auth.user.id, ids); const isOwner = await this.repository.asset.checkOwnerAccess(auth.user.id, ids);
const isAlbum = await this.repository.asset.checkAlbumAccess(auth.user.id, setDifference(ids, isOwner)); const isAlbum = await this.repository.asset.checkAlbumAccess(auth.user.id, setDifference(ids, isOwner));
const isPartner = await this.repository.asset.checkPartnerAccess( const isPartner = await this.repository.asset.checkPartnerAccess(
@ -175,13 +175,13 @@ export class AccessCore {
return setUnion(isOwner, isAlbum, isPartner); return setUnion(isOwner, isAlbum, isPartner);
} }
case Permission.ASSET_SHARE: { case AccessPermission.ASSET_SHARE: {
const isOwner = await this.repository.asset.checkOwnerAccess(auth.user.id, ids); const isOwner = await this.repository.asset.checkOwnerAccess(auth.user.id, ids);
const isPartner = await this.repository.asset.checkPartnerAccess(auth.user.id, setDifference(ids, isOwner)); const isPartner = await this.repository.asset.checkPartnerAccess(auth.user.id, setDifference(ids, isOwner));
return setUnion(isOwner, isPartner); return setUnion(isOwner, isPartner);
} }
case Permission.ASSET_VIEW: { case AccessPermission.ASSET_VIEW: {
const isOwner = await this.repository.asset.checkOwnerAccess(auth.user.id, ids); const isOwner = await this.repository.asset.checkOwnerAccess(auth.user.id, ids);
const isAlbum = await this.repository.asset.checkAlbumAccess(auth.user.id, setDifference(ids, isOwner)); const isAlbum = await this.repository.asset.checkAlbumAccess(auth.user.id, setDifference(ids, isOwner));
const isPartner = await this.repository.asset.checkPartnerAccess( const isPartner = await this.repository.asset.checkPartnerAccess(
@ -191,7 +191,7 @@ export class AccessCore {
return setUnion(isOwner, isAlbum, isPartner); return setUnion(isOwner, isAlbum, isPartner);
} }
case Permission.ASSET_DOWNLOAD: { case AccessPermission.ASSET_DOWNLOAD: {
const isOwner = await this.repository.asset.checkOwnerAccess(auth.user.id, ids); const isOwner = await this.repository.asset.checkOwnerAccess(auth.user.id, ids);
const isAlbum = await this.repository.asset.checkAlbumAccess(auth.user.id, setDifference(ids, isOwner)); const isAlbum = await this.repository.asset.checkAlbumAccess(auth.user.id, setDifference(ids, isOwner));
const isPartner = await this.repository.asset.checkPartnerAccess( const isPartner = await this.repository.asset.checkPartnerAccess(
@ -201,101 +201,101 @@ export class AccessCore {
return setUnion(isOwner, isAlbum, isPartner); return setUnion(isOwner, isAlbum, isPartner);
} }
case Permission.ASSET_UPDATE: { case AccessPermission.ASSET_UPDATE: {
return await this.repository.asset.checkOwnerAccess(auth.user.id, ids); return await this.repository.asset.checkOwnerAccess(auth.user.id, ids);
} }
case Permission.ASSET_DELETE: { case AccessPermission.ASSET_DELETE: {
return await this.repository.asset.checkOwnerAccess(auth.user.id, ids); return await this.repository.asset.checkOwnerAccess(auth.user.id, ids);
} }
case Permission.ASSET_RESTORE: { case AccessPermission.ASSET_RESTORE: {
return await this.repository.asset.checkOwnerAccess(auth.user.id, ids); return await this.repository.asset.checkOwnerAccess(auth.user.id, ids);
} }
case Permission.ALBUM_READ: { case AccessPermission.ALBUM_READ: {
const isOwner = await this.repository.album.checkOwnerAccess(auth.user.id, ids); const isOwner = await this.repository.album.checkOwnerAccess(auth.user.id, ids);
const isShared = await this.repository.album.checkSharedAlbumAccess(auth.user.id, setDifference(ids, isOwner)); const isShared = await this.repository.album.checkSharedAlbumAccess(auth.user.id, setDifference(ids, isOwner));
return setUnion(isOwner, isShared); return setUnion(isOwner, isShared);
} }
case Permission.ALBUM_UPDATE: { case AccessPermission.ALBUM_UPDATE: {
return await this.repository.album.checkOwnerAccess(auth.user.id, ids); return await this.repository.album.checkOwnerAccess(auth.user.id, ids);
} }
case Permission.ALBUM_DELETE: { case AccessPermission.ALBUM_DELETE: {
return await this.repository.album.checkOwnerAccess(auth.user.id, ids); return await this.repository.album.checkOwnerAccess(auth.user.id, ids);
} }
case Permission.ALBUM_SHARE: { case AccessPermission.ALBUM_SHARE: {
return await this.repository.album.checkOwnerAccess(auth.user.id, ids); return await this.repository.album.checkOwnerAccess(auth.user.id, ids);
} }
case Permission.ALBUM_DOWNLOAD: { case AccessPermission.ALBUM_DOWNLOAD: {
const isOwner = await this.repository.album.checkOwnerAccess(auth.user.id, ids); const isOwner = await this.repository.album.checkOwnerAccess(auth.user.id, ids);
const isShared = await this.repository.album.checkSharedAlbumAccess(auth.user.id, setDifference(ids, isOwner)); const isShared = await this.repository.album.checkSharedAlbumAccess(auth.user.id, setDifference(ids, isOwner));
return setUnion(isOwner, isShared); return setUnion(isOwner, isShared);
} }
case Permission.ALBUM_REMOVE_ASSET: { case AccessPermission.ALBUM_REMOVE_ASSET: {
return await this.repository.album.checkOwnerAccess(auth.user.id, ids); return await this.repository.album.checkOwnerAccess(auth.user.id, ids);
} }
case Permission.ASSET_UPLOAD: { case AccessPermission.ASSET_UPLOAD: {
return await this.repository.library.checkOwnerAccess(auth.user.id, ids); return await this.repository.library.checkOwnerAccess(auth.user.id, ids);
} }
case Permission.ARCHIVE_READ: { case AccessPermission.ARCHIVE_READ: {
return ids.has(auth.user.id) ? new Set([auth.user.id]) : new Set(); return ids.has(auth.user.id) ? new Set([auth.user.id]) : new Set();
} }
case Permission.AUTH_DEVICE_DELETE: { case AccessPermission.AUTH_DEVICE_DELETE: {
return await this.repository.authDevice.checkOwnerAccess(auth.user.id, ids); return await this.repository.authDevice.checkOwnerAccess(auth.user.id, ids);
} }
case Permission.TIMELINE_READ: { case AccessPermission.TIMELINE_READ: {
const isOwner = ids.has(auth.user.id) ? new Set([auth.user.id]) : new Set<string>(); const isOwner = ids.has(auth.user.id) ? new Set([auth.user.id]) : new Set<string>();
const isPartner = await this.repository.timeline.checkPartnerAccess(auth.user.id, setDifference(ids, isOwner)); const isPartner = await this.repository.timeline.checkPartnerAccess(auth.user.id, setDifference(ids, isOwner));
return setUnion(isOwner, isPartner); return setUnion(isOwner, isPartner);
} }
case Permission.TIMELINE_DOWNLOAD: { case AccessPermission.TIMELINE_DOWNLOAD: {
return ids.has(auth.user.id) ? new Set([auth.user.id]) : new Set(); return ids.has(auth.user.id) ? new Set([auth.user.id]) : new Set();
} }
case Permission.MEMORY_READ: { case AccessPermission.MEMORY_READ: {
return this.repository.memory.checkOwnerAccess(auth.user.id, ids); return this.repository.memory.checkOwnerAccess(auth.user.id, ids);
} }
case Permission.MEMORY_WRITE: { case AccessPermission.MEMORY_WRITE: {
return this.repository.memory.checkOwnerAccess(auth.user.id, ids); return this.repository.memory.checkOwnerAccess(auth.user.id, ids);
} }
case Permission.MEMORY_DELETE: { case AccessPermission.MEMORY_DELETE: {
return this.repository.memory.checkOwnerAccess(auth.user.id, ids); return this.repository.memory.checkOwnerAccess(auth.user.id, ids);
} }
case Permission.PERSON_READ: { case AccessPermission.PERSON_READ: {
return await this.repository.person.checkOwnerAccess(auth.user.id, ids); return await this.repository.person.checkOwnerAccess(auth.user.id, ids);
} }
case Permission.PERSON_WRITE: { case AccessPermission.PERSON_WRITE: {
return await this.repository.person.checkOwnerAccess(auth.user.id, ids); return await this.repository.person.checkOwnerAccess(auth.user.id, ids);
} }
case Permission.PERSON_MERGE: { case AccessPermission.PERSON_MERGE: {
return await this.repository.person.checkOwnerAccess(auth.user.id, ids); return await this.repository.person.checkOwnerAccess(auth.user.id, ids);
} }
case Permission.PERSON_CREATE: { case AccessPermission.PERSON_CREATE: {
return this.repository.person.checkFaceOwnerAccess(auth.user.id, ids); return this.repository.person.checkFaceOwnerAccess(auth.user.id, ids);
} }
case Permission.PERSON_REASSIGN: { case AccessPermission.PERSON_REASSIGN: {
return this.repository.person.checkFaceOwnerAccess(auth.user.id, ids); return this.repository.person.checkFaceOwnerAccess(auth.user.id, ids);
} }
case Permission.PARTNER_UPDATE: { case AccessPermission.PARTNER_UPDATE: {
return await this.repository.partner.checkUpdateAccess(auth.user.id, ids); return await this.repository.partner.checkUpdateAccess(auth.user.id, ids);
} }

9
server/src/cores/user.core.ts
View file

@ -48,6 +48,10 @@ export class UserCore {
throw new BadRequestException('The server already has an admin'); throw new BadRequestException('The server already has an admin');
} }
if (dto.permissions) {
// TODO validate granted permissions
}
if (dto.email) { if (dto.email) {
const duplicate = await this.userRepository.getByEmail(dto.email); const duplicate = await this.userRepository.getByEmail(dto.email);
if (duplicate && duplicate.id !== id) { if (duplicate && duplicate.id !== id) {
@ -93,6 +97,11 @@ export class UserCore {
if (payload.storageLabel) { if (payload.storageLabel) {
payload.storageLabel = sanitize(payload.storageLabel.replaceAll('.', '')); payload.storageLabel = sanitize(payload.storageLabel.replaceAll('.', ''));
} }
if (payload.permissions) {
// TODO validate permissions
}
const userEntity = await this.userRepository.create(payload); const userEntity = await this.userRepository.create(payload);
await this.libraryRepository.create({ await this.libraryRepository.create({
owner: { id: userEntity.id } as UserEntity, owner: { id: userEntity.id } as UserEntity,

189
server/src/dtos/auth.dto.ts
View file

@ -25,6 +25,195 @@ export type CookieResponse = {
values: Array<{ key: ImmichCookie; value: string }>; values: Array<{ key: ImmichCookie; value: string }>;
}; };
export enum PermissionPreset {
USER = 'user',
ADMIN = 'admin',
CUSTOM = 'custom',
}
export enum Permission {
ACTIVITY_CREATE = 'activity.create',
ACTIVITY_READ = 'activity.read',
ACTIVITY_UPDATE = 'activity.update',
ACTIVITY_DELETE = 'activity.delete',
ALBUM_CREATE = 'album.create',
ALBUM_READ = 'album.read',
ALBUM_UPDATE = 'album.update',
ALBUM_DELETE = 'album.delete',
ASSET_CREATE = 'asset.create',
ASSET_READ = 'asset.read',
ASSET_UPDATE = 'asset.update',
ASSET_DELETE = 'asset.delete',
API_KEY_CREATE = 'apiKey.create',
API_KEY_READ = 'apiKey.read',
API_KEY_UPDATE = 'apiKey.update',
API_KEY_DELETE = 'apiKey.delete',
AUTH_DEVICE_CREATE = 'authDevice.create',
AUTH_DEVICE_READ = 'authDevice.read',
AUTH_DEVICE_UPDATE = 'authDevice.update',
AUTH_DEVICE_DELETE = 'authDevice.delete',
FACE_CREATE = 'face.create',
FACE_READ = 'face.read',
FACE_UPDATE = 'face.update',
FACE_DELETE = 'face.delete',
LIBRARY_CREATE = 'library.create',
LIBRARY_READ = 'library.read',
LIBRARY_UPDATE = 'library.update',
LIBRARY_DELETE = 'library.delete',
MEMORY_CREATE = 'memory.create',
MEMORY_READ = 'memory.read',
MEMORY_UPDATE = 'memory.update',
MEMORY_DELETE = 'memory.delete',
MEMORY_ADD_ASSET = 'memory.addAsset',
MEMORY_REMOVE_ASSET = 'memory.removeAsset',
PARTNER_CREATE = 'partner.create',
PARTNER_READ = 'partner.read',
PARTNER_UPDATE = 'partner.update',
PARTNER_DELETE = 'partner.delete',
PERSON_CREATE = 'person.create',
PERSON_READ = 'person.read',
PERSON_UPDATE = 'person.update',
PERSON_DELETE = 'person.delete',
REPORT_CREATE = 'report.create',
REPORT_READ = 'report.read',
REPORT_UPDATE = 'report.update',
REPORT_DELETE = 'report.delete',
SESSION_CREATE = 'session.create',
SESSION_READ = 'session.read',
SESSION_UPDATE = 'session.update',
SESSION_DELETE = 'session.delete',
SHARED_LINK_CREATE = 'sharedLink.create',
SHARED_LINK_READ = 'sharedLink.read',
SHARED_LINK_UPDATE = 'sharedLink.update',
SHARED_LINK_DELETE = 'sharedLink.delete',
SYSTEM_CONFIG_CREATE = 'systemConfig.create',
SYSTEM_CONFIG_READ = 'systemConfig.read',
SYSTEM_CONFIG_UPDATE = 'systemConfig.update',
SYSTEM_CONFIG_DELETE = 'systemConfig.delete',
SYSTEM_METADATA_CREATE = 'systemMetadata.create',
SYSTEM_METADATA_READ = 'systemMetadata.read',
SYSTEM_METADATA_UPDATE = 'systemMetadata.update',
SYSTEM_METADATA_DELETE = 'systemMetadata.delete',
STACK_CREATE = 'stack.create',
STACK_READ = 'stack.read',
STACK_UPDATE = 'stack.update',
STACK_DELETE = 'stack.delete',
TAG_CREATE = 'tag.create',
TAG_READ = 'tag.read',
TAG_UPDATE = 'tag.update',
TAG_DELETE = 'tag.delete',
USER_CREATE = 'user.create',
USER_READ = 'user.read',
USER_UPDATE = 'user.update',
USER_DELETE = 'user.delete',
// other
AUTH_CHANGE_PASSWORD = 'auth.changePassword',
AUTH_OAUTH = 'auth.oauth',
ALBUM_ADD_ASSET = 'album.addAsset',
ALBUM_REMOVE_ASSET = 'album.removeAsset',
ALBUM_ADD_USER = 'album.addUser',
ALBUM_REMOVE_USER = 'album.removeUser',
ASSET_VIEW_THUMB = 'asset.viewThumb',
ASSET_VIEW_PREVIEW = 'asset.viewPreview',
ASSET_VIEW_ORIGINAL = 'asset.viewOriginal',
ASSET_UPLOAD = 'asset.upload',
ASSET_DOWNLOAD = 'asset.download',
JOB_READ = 'job.read',
JOB_RUN = 'job.run',
MAP_READ = 'map.read',
USER_READ_SIMPLE = 'user.readSimple',
USER_CHANGE_PASSWORD = 'user.changePassword',
SERVER_READ = 'server.read',
SERVER_SETUP = 'server.setup',
}
export const presetToPermissions = ({
permissionPreset: preset,
permissions,
}: {
permissionPreset?: PermissionPreset;
permissions?: Permission[];
}) => {
switch (preset) {
case PermissionPreset.ADMIN: {
return ALL_PERMISSIONS;
}
case PermissionPreset.USER: {
return USER_PERMISSIONS;
}
case PermissionPreset.CUSTOM: {
return permissions ?? [];
}
default: {
return;
}
}
};
export const ALL_PERMISSIONS = Object.values(Permission);
export const USER_PERMISSIONS = ALL_PERMISSIONS.filter((permission) => {
switch (permission) {
case Permission.JOB_READ:
case Permission.JOB_RUN:
case Permission.LIBRARY_READ:
case Permission.LIBRARY_CREATE:
case Permission.LIBRARY_UPDATE:
case Permission.LIBRARY_DELETE:
// TODO this can't be an admin permission yet because non-admins still use it
case Permission.USER_READ:
case Permission.USER_CREATE:
case Permission.USER_UPDATE:
case Permission.USER_DELETE:
case Permission.SYSTEM_CONFIG_CREATE:
case Permission.SYSTEM_CONFIG_READ:
case Permission.SYSTEM_CONFIG_UPDATE:
case Permission.SYSTEM_CONFIG_DELETE:
case Permission.SYSTEM_METADATA_CREATE:
case Permission.SYSTEM_METADATA_READ:
case Permission.SYSTEM_METADATA_UPDATE:
case Permission.SYSTEM_METADATA_DELETE: {
return false;
}
default: {
return true;
}
}
});
export type AuthorizationPermissions = Set<Permission>;
export class AuthDto { export class AuthDto {
user!: UserEntity; user!: UserEntity;

3
server/src/dtos/user.dto.spec.ts
View file

@ -1,5 +1,6 @@
import { plainToInstance } from 'class-transformer'; import { plainToInstance } from 'class-transformer';
import { validate } from 'class-validator'; import { validate } from 'class-validator';
import { PermissionPreset } from 'src/dtos/auth.dto';
import { CreateAdminDto, CreateUserDto, CreateUserOAuthDto, UpdateUserDto } from 'src/dtos/user.dto'; import { CreateAdminDto, CreateUserDto, CreateUserOAuthDto, UpdateUserDto } from 'src/dtos/user.dto';
describe('update user DTO', () => { describe('update user DTO', () => {
@ -22,6 +23,7 @@ describe('create user DTO', () => {
email: undefined, email: undefined,
password: 'password', password: 'password',
name: 'name', name: 'name',
permissionPreset: PermissionPreset.USER,
}; };
let dto: CreateUserDto = plainToInstance(CreateUserDto, params); let dto: CreateUserDto = plainToInstance(CreateUserDto, params);
let errors = await validate(dto); let errors = await validate(dto);
@ -45,6 +47,7 @@ describe('create user DTO', () => {
email: someEmail, email: someEmail,
password: 'some password', password: 'some password',
name: 'some name', name: 'some name',
permissionPreset: 'user',
}); });
const errors = await validate(dto); const errors = await validate(dto);
expect(errors).toHaveLength(0); expect(errors).toHaveLength(0);

29
server/src/dtos/user.dto.ts
View file

@ -1,10 +1,14 @@
import { ApiProperty } from '@nestjs/swagger'; import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
import { Transform } from 'class-transformer'; import { Transform } from 'class-transformer';
import { IsEmail, IsEnum, IsNotEmpty, IsNumber, IsPositive, IsString, IsUUID } from 'class-validator'; import { IsEmail, IsEnum, IsNotEmpty, IsNumber, IsPositive, IsString, IsUUID, ValidateIf } from 'class-validator';
import { Permission, PermissionPreset } from 'src/dtos/auth.dto';
import { getRandomAvatarColor } from 'src/dtos/user-profile.dto'; import { getRandomAvatarColor } from 'src/dtos/user-profile.dto';
import { UserAvatarColor, UserEntity, UserStatus } from 'src/entities/user.entity'; import { UserAvatarColor, UserEntity, UserStatus } from 'src/entities/user.entity';
import { Optional, ValidateBoolean, toEmail, toSanitized } from 'src/validation'; import { Optional, ValidateBoolean, toEmail, toSanitized } from 'src/validation';
const isCustomPreset = ({ permissionPreset }: CreateUserDto) =>
permissionPreset && permissionPreset === PermissionPreset.CUSTOM;
export class CreateUserDto { export class CreateUserDto {
@IsEmail({ require_tld: false }) @IsEmail({ require_tld: false })
@Transform(toEmail) @Transform(toEmail)
@ -34,6 +38,15 @@ export class CreateUserDto {
@ValidateBoolean({ optional: true }) @ValidateBoolean({ optional: true })
shouldChangePassword?: boolean; shouldChangePassword?: boolean;
@IsEnum(PermissionPreset)
@ApiProperty({ enum: PermissionPreset, enumName: 'PermissionPreset' })
permissionPreset!: PermissionPreset;
@ValidateIf(isCustomPreset)
@IsEnum(Permission, { each: true })
@ApiPropertyOptional({ enum: Permission, enumName: 'AuthorizationPermission' })
permissions?: Permission[];
} }
export class CreateAdminDto { export class CreateAdminDto {
@ -112,6 +125,16 @@ export class UpdateUserDto {
@IsPositive() @IsPositive()
@ApiProperty({ type: 'integer', format: 'int64' }) @ApiProperty({ type: 'integer', format: 'int64' })
quotaSizeInBytes?: number | null; quotaSizeInBytes?: number | null;
@Optional()
@IsEnum(PermissionPreset)
@ApiProperty({ enum: PermissionPreset, enumName: 'PermissionPreset' })
permissionPreset?: PermissionPreset;
@ValidateIf(isCustomPreset)
@IsEnum(Permission, { each: true })
@ApiPropertyOptional({ enum: Permission, enumName: 'AuthorizationPermission' })
permissions?: Permission[];
} }
export class UserDto { export class UserDto {
@ -139,6 +162,7 @@ export class UserResponseDto extends UserDto {
quotaUsageInBytes!: number | null; quotaUsageInBytes!: number | null;
@ApiProperty({ enumName: 'UserStatus', enum: UserStatus }) @ApiProperty({ enumName: 'UserStatus', enum: UserStatus })
status!: string; status!: string;
permissions?: Permission[];
} }
export const mapSimpleUser = (entity: UserEntity): UserDto => { export const mapSimpleUser = (entity: UserEntity): UserDto => {
@ -165,5 +189,6 @@ export function mapUser(entity: UserEntity): UserResponseDto {
quotaSizeInBytes: entity.quotaSizeInBytes, quotaSizeInBytes: entity.quotaSizeInBytes,
quotaUsageInBytes: entity.quotaUsageInBytes, quotaUsageInBytes: entity.quotaUsageInBytes,
status: entity.status, status: entity.status,
permissions: entity.permissions,
}; };
} }

4
server/src/entities/user.entity.ts
View file

@ -1,3 +1,4 @@
import { Permission } from 'src/dtos/auth.dto';
import { AssetEntity } from 'src/entities/asset.entity'; import { AssetEntity } from 'src/entities/asset.entity';
import { TagEntity } from 'src/entities/tag.entity'; import { TagEntity } from 'src/entities/tag.entity';
import { import {
@ -87,4 +88,7 @@ export class UserEntity {
@Column({ type: 'bigint', default: 0 }) @Column({ type: 'bigint', default: 0 })
quotaUsageInBytes!: number; quotaUsageInBytes!: number;
@Column({ type: 'varchar', array: true })
permissions!: Permission[];
} }

62
server/src/middleware/auth.guard.ts
View file

@ -10,49 +10,40 @@ import {
import { Reflector } from '@nestjs/core'; import { Reflector } from '@nestjs/core';
import { ApiBearerAuth, ApiCookieAuth, ApiOkResponse, ApiQuery, ApiSecurity } from '@nestjs/swagger'; import { ApiBearerAuth, ApiCookieAuth, ApiOkResponse, ApiQuery, ApiSecurity } from '@nestjs/swagger';
import { Request } from 'express'; import { Request } from 'express';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, Permission } from 'src/dtos/auth.dto';
import { ILoggerRepository } from 'src/interfaces/logger.interface'; import { ILoggerRepository } from 'src/interfaces/logger.interface';
import { AuthService, LoginDetails } from 'src/services/auth.service'; import { AuthService, LoginDetails } from 'src/services/auth.service';
import { UAParser } from 'ua-parser-js'; import { UAParser } from 'ua-parser-js';
export enum Metadata { export enum Metadata {
AUTH_ROUTE = 'auth_route',
ADMIN_ROUTE = 'admin_route',
SHARED_ROUTE = 'shared_route', SHARED_ROUTE = 'shared_route',
PUBLIC_SECURITY = 'public_security', PUBLIC_SECURITY = 'public_security',
API_KEY_SECURITY = 'api_key', API_KEY_SECURITY = 'api_key',
PERMISSION = 'auth_permission',
} }
export interface AuthenticatedOptions { type AuthenticatedOptions = {
admin?: true; sharedLink?: true;
isShared?: true; /** skip permission check when param id matches calling user */
} bypassParamId?: string;
};
export const Authenticated = (options: AuthenticatedOptions = {}) => { export const Authenticated = (permission: Permission, options?: AuthenticatedOptions) => {
const decorators: MethodDecorator[] = [ const { sharedLink } = { sharedLink: false, ...options };
const decorators = sharedLink
? [SetMetadata(Metadata.SHARED_ROUTE, true), ApiQuery({ name: 'key', type: String, required: false })]
: [];
return applyDecorators(
ApiBearerAuth(), ApiBearerAuth(),
ApiCookieAuth(), ApiCookieAuth(),
ApiSecurity(Metadata.API_KEY_SECURITY), ApiSecurity(Metadata.API_KEY_SECURITY),
SetMetadata(Metadata.AUTH_ROUTE, true), SetMetadata(Metadata.PERMISSION, permission),
]; ...decorators,
);
if (options.admin) {
decorators.push(AdminRoute());
}
if (options.isShared) {
decorators.push(SharedLinkRoute());
}
return applyDecorators(...decorators);
}; };
export const PublicRoute = () =>
applyDecorators(SetMetadata(Metadata.AUTH_ROUTE, false), ApiSecurity(Metadata.PUBLIC_SECURITY));
export const SharedLinkRoute = () =>
applyDecorators(SetMetadata(Metadata.SHARED_ROUTE, true), ApiQuery({ name: 'key', type: String, required: false }));
export const AdminRoute = (value = true) => SetMetadata(Metadata.ADMIN_ROUTE, value);
export const Auth = createParamDecorator((data, context: ExecutionContext): AuthDto => { export const Auth = createParamDecorator((data, context: ExecutionContext): AuthDto => {
return context.switchToHttp().getRequest<{ user: AuthDto }>().user; return context.switchToHttp().getRequest<{ user: AuthDto }>().user;
}); });
@ -89,26 +80,29 @@ export class AuthGuard implements CanActivate {
} }
async canActivate(context: ExecutionContext): Promise<boolean> { async canActivate(context: ExecutionContext): Promise<boolean> {
const targets = [context.getHandler(), context.getClass()]; const method = context.getHandler();
const isAuthRoute = this.reflector.getAllAndOverride(Metadata.AUTH_ROUTE, targets); const permission = this.reflector.get<Permission>(Metadata.PERMISSION, method);
const isAdminRoute = this.reflector.getAllAndOverride(Metadata.ADMIN_ROUTE, targets); const isSharedRoute = this.reflector.get<boolean>(Metadata.SHARED_ROUTE, method);
const isSharedRoute = this.reflector.getAllAndOverride(Metadata.SHARED_ROUTE, targets);
if (!isAuthRoute) { // public
if (!permission) {
return true; return true;
} }
const request = context.switchToHttp().getRequest<AuthRequest>(); const request = context.switchToHttp().getRequest<AuthRequest>();
const authDto = await this.authService.validate(request.headers, request.query as Record<string, string>); const authDto = await this.authService.validate(request.headers, request.query as Record<string, string>);
const isApiKey = !!authDto.apiKey;
const isUserToken = !!authDto.session;
if (authDto.sharedLink && !isSharedRoute) { if (authDto.sharedLink && !isSharedRoute) {
this.logger.warn(`Denied access to non-shared route: ${request.path}`); this.logger.warn(`Denied access to non-shared route: ${request.path}`);
return false; return false;
} }
if (isAdminRoute && !authDto.user.isAdmin) { if ((isApiKey || isUserToken) && !authDto.user.permissions.includes(permission)) {
this.logger.warn(`Denied access to admin only route: ${request.path}`); this.logger.warn(`Denied access to route: no ${permission} permission: ${request.path}. `);
return false; return false;
} }

14
server/src/migrations/1713389653857-AddUserPermissions.ts Normal file
View file

@ -0,0 +1,14 @@
import { MigrationInterface, QueryRunner } from "typeorm";
export class AddUserPermissions1713389653857 implements MigrationInterface {
name = 'AddUserPermissions1713389653857'
public async up(queryRunner: QueryRunner): Promise<void> {
await queryRunner.query(`ALTER TABLE "users" ADD "permissions" character varying array NOT NULL`);
}
public async down(queryRunner: QueryRunner): Promise<void> {
await queryRunner.query(`ALTER TABLE "users" DROP COLUMN "permissions"`);
}
}

10
server/src/services/activity.service.ts
View file

@ -1,5 +1,5 @@
import { Inject, Injectable } from '@nestjs/common'; import { Inject, Injectable } from '@nestjs/common';
import { AccessCore, Permission } from 'src/cores/access.core'; import { AccessCore, AccessPermission } from 'src/cores/access.core';
import { import {
ActivityCreateDto, ActivityCreateDto,
ActivityDto, ActivityDto,
@ -28,7 +28,7 @@ export class ActivityService {
} }
async getAll(auth: AuthDto, dto: ActivitySearchDto): Promise<ActivityResponseDto[]> { async getAll(auth: AuthDto, dto: ActivitySearchDto): Promise<ActivityResponseDto[]> {
await this.access.requirePermission(auth, Permission.ALBUM_READ, dto.albumId); await this.access.requirePermission(auth, AccessPermission.ALBUM_READ, dto.albumId);
const activities = await this.repository.search({ const activities = await this.repository.search({
userId: dto.userId, userId: dto.userId,
albumId: dto.albumId, albumId: dto.albumId,
@ -40,12 +40,12 @@ export class ActivityService {
} }
async getStatistics(auth: AuthDto, dto: ActivityDto): Promise<ActivityStatisticsResponseDto> { async getStatistics(auth: AuthDto, dto: ActivityDto): Promise<ActivityStatisticsResponseDto> {
await this.access.requirePermission(auth, Permission.ALBUM_READ, dto.albumId); await this.access.requirePermission(auth, AccessPermission.ALBUM_READ, dto.albumId);
return { comments: await this.repository.getStatistics(dto.assetId, dto.albumId) }; return { comments: await this.repository.getStatistics(dto.assetId, dto.albumId) };
} }
async create(auth: AuthDto, dto: ActivityCreateDto): Promise<MaybeDuplicate<ActivityResponseDto>> { async create(auth: AuthDto, dto: ActivityCreateDto): Promise<MaybeDuplicate<ActivityResponseDto>> {
await this.access.requirePermission(auth, Permission.ACTIVITY_CREATE, dto.albumId); await this.access.requirePermission(auth, AccessPermission.ACTIVITY_CREATE, dto.albumId);
const common = { const common = {
userId: auth.user.id, userId: auth.user.id,
@ -79,7 +79,7 @@ export class ActivityService {
} }
async delete(auth: AuthDto, id: string): Promise<void> { async delete(auth: AuthDto, id: string): Promise<void> {
await this.access.requirePermission(auth, Permission.ACTIVITY_DELETE, id); await this.access.requirePermission(auth, AccessPermission.ACTIVITY_DELETE, id);
await this.repository.delete(id); await this.repository.delete(id);
} }
} }

20
server/src/services/album.service.ts
View file

@ -1,5 +1,5 @@
import { BadRequestException, Inject, Injectable } from '@nestjs/common'; import { BadRequestException, Inject, Injectable } from '@nestjs/common';
import { AccessCore, Permission } from 'src/cores/access.core'; import { AccessCore, AccessPermission } from 'src/cores/access.core';
import { import {
AddUsersDto, AddUsersDto,
AlbumCountResponseDto, AlbumCountResponseDto,
@ -97,7 +97,7 @@ export class AlbumService {
} }
async get(auth: AuthDto, id: string, dto: AlbumInfoDto): Promise<AlbumResponseDto> { async get(auth: AuthDto, id: string, dto: AlbumInfoDto): Promise<AlbumResponseDto> {
await this.access.requirePermission(auth, Permission.ALBUM_READ, id); await this.access.requirePermission(auth, AccessPermission.ALBUM_READ, id);
await this.albumRepository.updateThumbnails(); await this.albumRepository.updateThumbnails();
const withAssets = dto.withoutAssets === undefined ? true : !dto.withoutAssets; const withAssets = dto.withoutAssets === undefined ? true : !dto.withoutAssets;
const album = await this.findOrFail(id, { withAssets }); const album = await this.findOrFail(id, { withAssets });
@ -119,7 +119,7 @@ export class AlbumService {
} }
} }
const allowedAssetIdsSet = await this.access.checkAccess(auth, Permission.ASSET_SHARE, new Set(dto.assetIds)); const allowedAssetIdsSet = await this.access.checkAccess(auth, AccessPermission.ASSET_SHARE, new Set(dto.assetIds));
const assets = [...allowedAssetIdsSet].map((id) => ({ id }) as AssetEntity); const assets = [...allowedAssetIdsSet].map((id) => ({ id }) as AssetEntity);
const album = await this.albumRepository.create({ const album = await this.albumRepository.create({
@ -135,7 +135,7 @@ export class AlbumService {
} }
async update(auth: AuthDto, id: string, dto: UpdateAlbumDto): Promise<AlbumResponseDto> { async update(auth: AuthDto, id: string, dto: UpdateAlbumDto): Promise<AlbumResponseDto> {
await this.access.requirePermission(auth, Permission.ALBUM_UPDATE, id); await this.access.requirePermission(auth, AccessPermission.ALBUM_UPDATE, id);
const album = await this.findOrFail(id, { withAssets: true }); const album = await this.findOrFail(id, { withAssets: true });
@ -158,7 +158,7 @@ export class AlbumService {
} }
async delete(auth: AuthDto, id: string): Promise<void> { async delete(auth: AuthDto, id: string): Promise<void> {
await this.access.requirePermission(auth, Permission.ALBUM_DELETE, id); await this.access.requirePermission(auth, AccessPermission.ALBUM_DELETE, id);
const album = await this.findOrFail(id, { withAssets: false }); const album = await this.findOrFail(id, { withAssets: false });
@ -167,7 +167,7 @@ export class AlbumService {
async addAssets(auth: AuthDto, id: string, dto: BulkIdsDto): Promise<BulkIdResponseDto[]> { async addAssets(auth: AuthDto, id: string, dto: BulkIdsDto): Promise<BulkIdResponseDto[]> {
const album = await this.findOrFail(id, { withAssets: false }); const album = await this.findOrFail(id, { withAssets: false });
await this.access.requirePermission(auth, Permission.ALBUM_READ, id); await this.access.requirePermission(auth, AccessPermission.ALBUM_READ, id);
const results = await addAssets( const results = await addAssets(
auth, auth,
@ -190,12 +190,12 @@ export class AlbumService {
async removeAssets(auth: AuthDto, id: string, dto: BulkIdsDto): Promise<BulkIdResponseDto[]> { async removeAssets(auth: AuthDto, id: string, dto: BulkIdsDto): Promise<BulkIdResponseDto[]> {
const album = await this.findOrFail(id, { withAssets: false }); const album = await this.findOrFail(id, { withAssets: false });
await this.access.requirePermission(auth, Permission.ALBUM_READ, id); await this.access.requirePermission(auth, AccessPermission.ALBUM_READ, id);
const results = await removeAssets( const results = await removeAssets(
auth, auth,
{ accessRepository: this.accessRepository, repository: this.albumRepository }, { accessRepository: this.accessRepository, repository: this.albumRepository },
{ id, assetIds: dto.ids, permissions: [Permission.ASSET_SHARE, Permission.ALBUM_REMOVE_ASSET] }, { id, assetIds: dto.ids, permissions: [AccessPermission.ASSET_SHARE, AccessPermission.ALBUM_REMOVE_ASSET] },
); );
const removedIds = results.filter(({ success }) => success).map(({ id }) => id); const removedIds = results.filter(({ success }) => success).map(({ id }) => id);
@ -210,7 +210,7 @@ export class AlbumService {
} }
async addUsers(auth: AuthDto, id: string, dto: AddUsersDto): Promise<AlbumResponseDto> { async addUsers(auth: AuthDto, id: string, dto: AddUsersDto): Promise<AlbumResponseDto> {
await this.access.requirePermission(auth, Permission.ALBUM_SHARE, id); await this.access.requirePermission(auth, AccessPermission.ALBUM_SHARE, id);
const album = await this.findOrFail(id, { withAssets: false }); const album = await this.findOrFail(id, { withAssets: false });
@ -259,7 +259,7 @@ export class AlbumService {
// non-admin can remove themselves // non-admin can remove themselves
if (auth.user.id !== userId) { if (auth.user.id !== userId) {
await this.access.requirePermission(auth, Permission.ALBUM_SHARE, id); await this.access.requirePermission(auth, AccessPermission.ALBUM_SHARE, id);
} }
await this.albumRepository.update({ await this.albumRepository.update({

10
server/src/services/asset-v1.service.ts
View file

@ -5,7 +5,7 @@ import {
InternalServerErrorException, InternalServerErrorException,
NotFoundException, NotFoundException,
} from '@nestjs/common'; } from '@nestjs/common';
import { AccessCore, Permission } from 'src/cores/access.core'; import { AccessCore, AccessPermission } from 'src/cores/access.core';
import { AssetResponseDto, mapAsset } from 'src/dtos/asset-response.dto'; import { AssetResponseDto, mapAsset } from 'src/dtos/asset-response.dto';
import { import {
AssetBulkUploadCheckResponseDto, AssetBulkUploadCheckResponseDto,
@ -78,7 +78,7 @@ export class AssetServiceV1 {
try { try {
const libraryId = await this.getLibraryId(auth, dto.libraryId); const libraryId = await this.getLibraryId(auth, dto.libraryId);
await this.access.requirePermission(auth, Permission.ASSET_UPLOAD, libraryId); await this.access.requirePermission(auth, AccessPermission.ASSET_UPLOAD, libraryId);
this.requireQuota(auth, file.size); this.requireQuota(auth, file.size);
if (livePhotoFile) { if (livePhotoFile) {
const livePhotoDto = { ...dto, assetType: AssetType.VIDEO, isVisible: false, libraryId }; const livePhotoDto = { ...dto, assetType: AssetType.VIDEO, isVisible: false, libraryId };
@ -111,13 +111,13 @@ export class AssetServiceV1 {
public async getAllAssets(auth: AuthDto, dto: AssetSearchDto): Promise<AssetResponseDto[]> { public async getAllAssets(auth: AuthDto, dto: AssetSearchDto): Promise<AssetResponseDto[]> {
const userId = dto.userId || auth.user.id; const userId = dto.userId || auth.user.id;
await this.access.requirePermission(auth, Permission.TIMELINE_READ, userId); await this.access.requirePermission(auth, AccessPermission.TIMELINE_READ, userId);
const assets = await this.assetRepositoryV1.getAllByUserId(userId, dto); const assets = await this.assetRepositoryV1.getAllByUserId(userId, dto);
return assets.map((asset) => mapAsset(asset, { withStack: true, auth })); return assets.map((asset) => mapAsset(asset, { withStack: true, auth }));
} }
async serveThumbnail(auth: AuthDto, assetId: string, dto: GetAssetThumbnailDto): Promise<ImmichFileResponse> { async serveThumbnail(auth: AuthDto, assetId: string, dto: GetAssetThumbnailDto): Promise<ImmichFileResponse> {
await this.access.requirePermission(auth, Permission.ASSET_VIEW, assetId); await this.access.requirePermission(auth, AccessPermission.ASSET_VIEW, assetId);
const asset = await this.assetRepositoryV1.get(assetId); const asset = await this.assetRepositoryV1.get(assetId);
if (!asset) { if (!asset) {
@ -135,7 +135,7 @@ export class AssetServiceV1 {
public async serveFile(auth: AuthDto, assetId: string, dto: ServeFileDto): Promise<ImmichFileResponse> { public async serveFile(auth: AuthDto, assetId: string, dto: ServeFileDto): Promise<ImmichFileResponse> {
// this is not quite right as sometimes this returns the original still // this is not quite right as sometimes this returns the original still
await this.access.requirePermission(auth, Permission.ASSET_VIEW, assetId); await this.access.requirePermission(auth, AccessPermission.ASSET_VIEW, assetId);
const asset = await this.assetRepository.getById(assetId); const asset = await this.assetRepository.getById(assetId);
if (!asset) { if (!asset) {

18
server/src/services/asset.service.ts
View file

@ -3,7 +3,7 @@ import _ from 'lodash';
import { DateTime, Duration } from 'luxon'; import { DateTime, Duration } from 'luxon';
import { extname } from 'node:path'; import { extname } from 'node:path';
import sanitize from 'sanitize-filename'; import sanitize from 'sanitize-filename';
import { AccessCore, Permission } from 'src/cores/access.core'; import { AccessCore, AccessPermission } from 'src/cores/access.core';
import { StorageCore, StorageFolder } from 'src/cores/storage.core'; import { StorageCore, StorageFolder } from 'src/cores/storage.core';
import { SystemConfigCore } from 'src/cores/system-config.core'; import { SystemConfigCore } from 'src/cores/system-config.core';
import { import {
@ -210,7 +210,7 @@ export class AssetService {
} }
async get(auth: AuthDto, id: string): Promise<AssetResponseDto | SanitizedAssetResponseDto> { async get(auth: AuthDto, id: string): Promise<AssetResponseDto | SanitizedAssetResponseDto> {
await this.access.requirePermission(auth, Permission.ASSET_READ, id); await this.access.requirePermission(auth, AccessPermission.ASSET_READ, id);
const asset = await this.assetRepository.getById(id, { const asset = await this.assetRepository.getById(id, {
exifInfo: true, exifInfo: true,
@ -250,7 +250,7 @@ export class AssetService {
} }
async update(auth: AuthDto, id: string, dto: UpdateAssetDto): Promise<AssetResponseDto> { async update(auth: AuthDto, id: string, dto: UpdateAssetDto): Promise<AssetResponseDto> {
await this.access.requirePermission(auth, Permission.ASSET_UPDATE, id); await this.access.requirePermission(auth, AccessPermission.ASSET_UPDATE, id);
const { description, dateTimeOriginal, latitude, longitude, ...rest } = dto; const { description, dateTimeOriginal, latitude, longitude, ...rest } = dto;
await this.updateMetadata({ id, description, dateTimeOriginal, latitude, longitude }); await this.updateMetadata({ id, description, dateTimeOriginal, latitude, longitude });
@ -273,7 +273,7 @@ export class AssetService {
async updateAll(auth: AuthDto, dto: AssetBulkUpdateDto): Promise<void> { async updateAll(auth: AuthDto, dto: AssetBulkUpdateDto): Promise<void> {
const { ids, removeParent, dateTimeOriginal, latitude, longitude, ...options } = dto; const { ids, removeParent, dateTimeOriginal, latitude, longitude, ...options } = dto;
await this.access.requirePermission(auth, Permission.ASSET_UPDATE, ids); await this.access.requirePermission(auth, AccessPermission.ASSET_UPDATE, ids);
// TODO: refactor this logic into separate API calls POST /stack, PUT /stack, etc. // TODO: refactor this logic into separate API calls POST /stack, PUT /stack, etc.
const stackIdsToCheckForDelete: string[] = []; const stackIdsToCheckForDelete: string[] = [];
@ -289,7 +289,7 @@ export class AssetService {
); );
} else if (options.stackParentId) { } else if (options.stackParentId) {
//Creating new stack if parent doesn't have one already. If it does, then we add to the existing stack //Creating new stack if parent doesn't have one already. If it does, then we add to the existing stack
await this.access.requirePermission(auth, Permission.ASSET_UPDATE, options.stackParentId); await this.access.requirePermission(auth, AccessPermission.ASSET_UPDATE, options.stackParentId);
const primaryAsset = await this.assetRepository.getById(options.stackParentId, { stack: { assets: true } }); const primaryAsset = await this.assetRepository.getById(options.stackParentId, { stack: { assets: true } });
if (!primaryAsset) { if (!primaryAsset) {
throw new BadRequestException('Asset not found for given stackParentId'); throw new BadRequestException('Asset not found for given stackParentId');
@ -418,7 +418,7 @@ export class AssetService {
async deleteAll(auth: AuthDto, dto: AssetBulkDeleteDto): Promise<void> { async deleteAll(auth: AuthDto, dto: AssetBulkDeleteDto): Promise<void> {
const { ids, force } = dto; const { ids, force } = dto;
await this.access.requirePermission(auth, Permission.ASSET_DELETE, ids); await this.access.requirePermission(auth, AccessPermission.ASSET_DELETE, ids);
if (force) { if (force) {
await this.jobRepository.queueAll(ids.map((id) => ({ name: JobName.ASSET_DELETION, data: { id } }))); await this.jobRepository.queueAll(ids.map((id) => ({ name: JobName.ASSET_DELETION, data: { id } })));
@ -430,8 +430,8 @@ export class AssetService {
async updateStackParent(auth: AuthDto, dto: UpdateStackParentDto): Promise<void> { async updateStackParent(auth: AuthDto, dto: UpdateStackParentDto): Promise<void> {
const { oldParentId, newParentId } = dto; const { oldParentId, newParentId } = dto;
await this.access.requirePermission(auth, Permission.ASSET_READ, oldParentId); await this.access.requirePermission(auth, AccessPermission.ASSET_READ, oldParentId);
await this.access.requirePermission(auth, Permission.ASSET_UPDATE, newParentId); await this.access.requirePermission(auth, AccessPermission.ASSET_UPDATE, newParentId);
const childIds: string[] = []; const childIds: string[] = [];
const oldParent = await this.assetRepository.getById(oldParentId, { const oldParent = await this.assetRepository.getById(oldParentId, {
@ -464,7 +464,7 @@ export class AssetService {
} }
async run(auth: AuthDto, dto: AssetJobsDto) { async run(auth: AuthDto, dto: AssetJobsDto) {
await this.access.requirePermission(auth, Permission.ASSET_UPDATE, dto.assetIds); await this.access.requirePermission(auth, AccessPermission.ASSET_UPDATE, dto.assetIds);
const jobs: JobItem[] = []; const jobs: JobItem[] = [];

4
server/src/services/audit.service.ts
View file

@ -2,7 +2,7 @@ import { BadRequestException, Inject, Injectable } from '@nestjs/common';
import { DateTime } from 'luxon'; import { DateTime } from 'luxon';
import { resolve } from 'node:path'; import { resolve } from 'node:path';
import { AUDIT_LOG_MAX_DURATION } from 'src/constants'; import { AUDIT_LOG_MAX_DURATION } from 'src/constants';
import { AccessCore, Permission } from 'src/cores/access.core'; import { AccessCore, AccessPermission } from 'src/cores/access.core';
import { StorageCore, StorageFolder } from 'src/cores/storage.core'; import { StorageCore, StorageFolder } from 'src/cores/storage.core';
import { import {
AuditDeletesDto, AuditDeletesDto,
@ -51,7 +51,7 @@ export class AuditService {
async getDeletes(auth: AuthDto, dto: AuditDeletesDto): Promise<AuditDeletesResponseDto> { async getDeletes(auth: AuthDto, dto: AuditDeletesDto): Promise<AuditDeletesResponseDto> {
const userId = dto.userId || auth.user.id; const userId = dto.userId || auth.user.id;
await this.access.requirePermission(auth, Permission.TIMELINE_READ, userId); await this.access.requirePermission(auth, AccessPermission.TIMELINE_READ, userId);
const audits = await this.repository.getAfter(dto.after, { const audits = await this.repository.getAfter(dto.after, {
userIds: [userId], userIds: [userId],

3
server/src/services/auth.service.spec.ts
View file

@ -55,6 +55,7 @@ const oauthUserWithDefaultQuota = {
oauthId: sub, oauthId: sub,
quotaSizeInBytes: 1_073_741_824, quotaSizeInBytes: 1_073_741_824,
storageLabel: null, storageLabel: null,
permissions: expect.any(Array),
}; };
describe('AuthService', () => { describe('AuthService', () => {
@ -492,6 +493,7 @@ describe('AuthService', () => {
oauthId: sub, oauthId: sub,
quotaSizeInBytes: null, quotaSizeInBytes: null,
storageLabel: null, storageLabel: null,
permissions: expect.any(Array),
}); });
}); });
@ -512,6 +514,7 @@ describe('AuthService', () => {
oauthId: sub, oauthId: sub,
quotaSizeInBytes: 5_368_709_120, quotaSizeInBytes: 5_368_709_120,
storageLabel: null, storageLabel: null,
permissions: expect.any(Array),
}); });
}); });
}); });

4
server/src/services/auth.service.ts
View file

@ -15,6 +15,7 @@ import { AccessCore } from 'src/cores/access.core';
import { SystemConfigCore } from 'src/cores/system-config.core'; import { SystemConfigCore } from 'src/cores/system-config.core';
import { UserCore } from 'src/cores/user.core'; import { UserCore } from 'src/cores/user.core';
import { import {
ALL_PERMISSIONS,
AuthDto, AuthDto,
ChangePasswordDto, ChangePasswordDto,
ImmichCookie, ImmichCookie,
@ -25,6 +26,7 @@ import {
OAuthCallbackDto, OAuthCallbackDto,
OAuthConfigDto, OAuthConfigDto,
SignUpDto, SignUpDto,
USER_PERMISSIONS,
mapLoginResponse, mapLoginResponse,
} from 'src/dtos/auth.dto'; } from 'src/dtos/auth.dto';
import { UserResponseDto, mapUser } from 'src/dtos/user.dto'; import { UserResponseDto, mapUser } from 'src/dtos/user.dto';
@ -143,6 +145,7 @@ export class AuthService {
name: dto.name, name: dto.name,
password: dto.password, password: dto.password,
storageLabel: 'admin', storageLabel: 'admin',
permissions: ALL_PERMISSIONS,
}); });
return mapUser(admin); return mapUser(admin);
@ -238,6 +241,7 @@ export class AuthService {
oauthId: profile.sub, oauthId: profile.sub,
quotaSizeInBytes: storageQuota * HumanReadableSize.GiB || null, quotaSizeInBytes: storageQuota * HumanReadableSize.GiB || null,
storageLabel: storageLabel || null, storageLabel: storageLabel || null,
permissions: USER_PERMISSIONS,
}); });
} }

12
server/src/services/download.service.ts
View file

@ -1,6 +1,6 @@
import { BadRequestException, Inject, Injectable } from '@nestjs/common'; import { BadRequestException, Inject, Injectable } from '@nestjs/common';
import { parse } from 'node:path'; import { parse } from 'node:path';
import { AccessCore, Permission } from 'src/cores/access.core'; import { AccessCore, AccessPermission } from 'src/cores/access.core';
import { AssetIdsDto } from 'src/dtos/asset.dto'; import { AssetIdsDto } from 'src/dtos/asset.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto } from 'src/dtos/auth.dto';
import { DownloadArchiveInfo, DownloadInfoDto, DownloadResponseDto } from 'src/dtos/download.dto'; import { DownloadArchiveInfo, DownloadInfoDto, DownloadResponseDto } from 'src/dtos/download.dto';
@ -26,7 +26,7 @@ export class DownloadService {
} }
async downloadFile(auth: AuthDto, id: string): Promise<ImmichFileResponse> { async downloadFile(auth: AuthDto, id: string): Promise<ImmichFileResponse> {
await this.access.requirePermission(auth, Permission.ASSET_DOWNLOAD, id); await this.access.requirePermission(auth, AccessPermission.ASSET_DOWNLOAD, id);
const [asset] = await this.assetRepository.getByIds([id]); const [asset] = await this.assetRepository.getByIds([id]);
if (!asset) { if (!asset) {
@ -81,7 +81,7 @@ export class DownloadService {
} }
async downloadArchive(auth: AuthDto, dto: AssetIdsDto): Promise<ImmichReadStream> { async downloadArchive(auth: AuthDto, dto: AssetIdsDto): Promise<ImmichReadStream> {
await this.access.requirePermission(auth, Permission.ASSET_DOWNLOAD, dto.assetIds); await this.access.requirePermission(auth, AccessPermission.ASSET_DOWNLOAD, dto.assetIds);
const zip = this.storageRepository.createZipStream(); const zip = this.storageRepository.createZipStream();
const assets = await this.assetRepository.getByIds(dto.assetIds); const assets = await this.assetRepository.getByIds(dto.assetIds);
@ -117,20 +117,20 @@ export class DownloadService {
if (dto.assetIds) { if (dto.assetIds) {
const assetIds = dto.assetIds; const assetIds = dto.assetIds;
await this.access.requirePermission(auth, Permission.ASSET_DOWNLOAD, assetIds); await this.access.requirePermission(auth, AccessPermission.ASSET_DOWNLOAD, assetIds);
const assets = await this.assetRepository.getByIds(assetIds, { exifInfo: true }); const assets = await this.assetRepository.getByIds(assetIds, { exifInfo: true });
return usePagination(PAGINATION_SIZE, () => ({ hasNextPage: false, items: assets })); return usePagination(PAGINATION_SIZE, () => ({ hasNextPage: false, items: assets }));
} }
if (dto.albumId) { if (dto.albumId) {
const albumId = dto.albumId; const albumId = dto.albumId;
await this.access.requirePermission(auth, Permission.ALBUM_DOWNLOAD, albumId); await this.access.requirePermission(auth, AccessPermission.ALBUM_DOWNLOAD, albumId);
return usePagination(PAGINATION_SIZE, (pagination) => this.assetRepository.getByAlbumId(pagination, albumId)); return usePagination(PAGINATION_SIZE, (pagination) => this.assetRepository.getByAlbumId(pagination, albumId));
} }
if (dto.userId) { if (dto.userId) {
const userId = dto.userId; const userId = dto.userId;
await this.access.requirePermission(auth, Permission.TIMELINE_DOWNLOAD, userId); await this.access.requirePermission(auth, AccessPermission.TIMELINE_DOWNLOAD, userId);
return usePagination(PAGINATION_SIZE, (pagination) => return usePagination(PAGINATION_SIZE, (pagination) =>
this.assetRepository.getByUserId(pagination, userId, { isVisible: true }), this.assetRepository.getByUserId(pagination, userId, { isVisible: true }),
); );

16
server/src/services/memory.service.ts
View file

@ -1,5 +1,5 @@
import { BadRequestException, Inject, Injectable } from '@nestjs/common'; import { BadRequestException, Inject, Injectable } from '@nestjs/common';
import { AccessCore, Permission } from 'src/cores/access.core'; import { AccessCore, AccessPermission } from 'src/cores/access.core';
import { BulkIdResponseDto, BulkIdsDto } from 'src/dtos/asset-ids.response.dto'; import { BulkIdResponseDto, BulkIdsDto } from 'src/dtos/asset-ids.response.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto } from 'src/dtos/auth.dto';
import { MemoryCreateDto, MemoryResponseDto, MemoryUpdateDto, mapMemory } from 'src/dtos/memory.dto'; import { MemoryCreateDto, MemoryResponseDto, MemoryUpdateDto, mapMemory } from 'src/dtos/memory.dto';
@ -25,7 +25,7 @@ export class MemoryService {
} }
async get(auth: AuthDto, id: string): Promise<MemoryResponseDto> { async get(auth: AuthDto, id: string): Promise<MemoryResponseDto> {
await this.access.requirePermission(auth, Permission.MEMORY_READ, id); await this.access.requirePermission(auth, AccessPermission.MEMORY_READ, id);
const memory = await this.findOrFail(id); const memory = await this.findOrFail(id);
return mapMemory(memory); return mapMemory(memory);
} }
@ -34,7 +34,7 @@ export class MemoryService {
// TODO validate type/data combination // TODO validate type/data combination
const assetIds = dto.assetIds || []; const assetIds = dto.assetIds || [];
const allowedAssetIds = await this.access.checkAccess(auth, Permission.ASSET_SHARE, assetIds); const allowedAssetIds = await this.access.checkAccess(auth, AccessPermission.ASSET_SHARE, assetIds);
const memory = await this.repository.create({ const memory = await this.repository.create({
ownerId: auth.user.id, ownerId: auth.user.id,
type: dto.type, type: dto.type,
@ -49,7 +49,7 @@ export class MemoryService {
} }
async update(auth: AuthDto, id: string, dto: MemoryUpdateDto): Promise<MemoryResponseDto> { async update(auth: AuthDto, id: string, dto: MemoryUpdateDto): Promise<MemoryResponseDto> {
await this.access.requirePermission(auth, Permission.MEMORY_WRITE, id); await this.access.requirePermission(auth, AccessPermission.MEMORY_WRITE, id);
const memory = await this.repository.update({ const memory = await this.repository.update({
id, id,
@ -62,12 +62,12 @@ export class MemoryService {
} }
async remove(auth: AuthDto, id: string): Promise<void> { async remove(auth: AuthDto, id: string): Promise<void> {
await this.access.requirePermission(auth, Permission.MEMORY_DELETE, id); await this.access.requirePermission(auth, AccessPermission.MEMORY_DELETE, id);
await this.repository.delete(id); await this.repository.delete(id);
} }
async addAssets(auth: AuthDto, id: string, dto: BulkIdsDto): Promise<BulkIdResponseDto[]> { async addAssets(auth: AuthDto, id: string, dto: BulkIdsDto): Promise<BulkIdResponseDto[]> {
await this.access.requirePermission(auth, Permission.MEMORY_READ, id); await this.access.requirePermission(auth, AccessPermission.MEMORY_READ, id);
const repos = { accessRepository: this.accessRepository, repository: this.repository }; const repos = { accessRepository: this.accessRepository, repository: this.repository };
const results = await addAssets(auth, repos, { id, assetIds: dto.ids }); const results = await addAssets(auth, repos, { id, assetIds: dto.ids });
@ -81,10 +81,10 @@ export class MemoryService {
} }
async removeAssets(auth: AuthDto, id: string, dto: BulkIdsDto): Promise<BulkIdResponseDto[]> { async removeAssets(auth: AuthDto, id: string, dto: BulkIdsDto): Promise<BulkIdResponseDto[]> {
await this.access.requirePermission(auth, Permission.MEMORY_WRITE, id); await this.access.requirePermission(auth, AccessPermission.MEMORY_WRITE, id);
const repos = { accessRepository: this.accessRepository, repository: this.repository }; const repos = { accessRepository: this.accessRepository, repository: this.repository };
const permissions = [Permission.ASSET_SHARE]; const permissions = [AccessPermission.ASSET_SHARE];
const results = await removeAssets(auth, repos, { id, assetIds: dto.ids, permissions }); const results = await removeAssets(auth, repos, { id, assetIds: dto.ids, permissions });
const hasSuccess = results.find(({ success }) => success); const hasSuccess = results.find(({ success }) => success);

4
server/src/services/partner.service.ts
View file

@ -1,5 +1,5 @@
import { BadRequestException, Inject, Injectable } from '@nestjs/common'; import { BadRequestException, Inject, Injectable } from '@nestjs/common';
import { AccessCore, Permission } from 'src/cores/access.core'; import { AccessCore, AccessPermission } from 'src/cores/access.core';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto } from 'src/dtos/auth.dto';
import { PartnerResponseDto, UpdatePartnerDto } from 'src/dtos/partner.dto'; import { PartnerResponseDto, UpdatePartnerDto } from 'src/dtos/partner.dto';
import { mapUser } from 'src/dtos/user.dto'; import { mapUser } from 'src/dtos/user.dto';
@ -48,7 +48,7 @@ export class PartnerService {
} }
async update(auth: AuthDto, sharedById: string, dto: UpdatePartnerDto): Promise<PartnerResponseDto> { async update(auth: AuthDto, sharedById: string, dto: UpdatePartnerDto): Promise<PartnerResponseDto> {
await this.access.requirePermission(auth, Permission.PARTNER_UPDATE, sharedById); await this.access.requirePermission(auth, AccessPermission.PARTNER_UPDATE, sharedById);
const partnerId: PartnerIds = { sharedById, sharedWithId: auth.user.id }; const partnerId: PartnerIds = { sharedById, sharedWithId: auth.user.id };
const entity = await this.repository.update({ ...partnerId, inTimeline: dto.inTimeline }); const entity = await this.repository.update({ ...partnerId, inTimeline: dto.inTimeline });

28
server/src/services/person.service.ts
View file

@ -1,6 +1,6 @@
import { BadRequestException, Inject, Injectable, NotFoundException } from '@nestjs/common'; import { BadRequestException, Inject, Injectable, NotFoundException } from '@nestjs/common';
import { FACE_THUMBNAIL_SIZE } from 'src/constants'; import { FACE_THUMBNAIL_SIZE } from 'src/constants';
import { AccessCore, Permission } from 'src/cores/access.core'; import { AccessCore, AccessPermission } from 'src/cores/access.core';
import { StorageCore } from 'src/cores/storage.core'; import { StorageCore } from 'src/cores/storage.core';
import { SystemConfigCore } from 'src/cores/system-config.core'; import { SystemConfigCore } from 'src/cores/system-config.core';
import { BulkIdErrorReason, BulkIdResponseDto } from 'src/dtos/asset-ids.response.dto'; import { BulkIdErrorReason, BulkIdResponseDto } from 'src/dtos/asset-ids.response.dto';
@ -101,7 +101,7 @@ export class PersonService {
} }
async reassignFaces(auth: AuthDto, personId: string, dto: AssetFaceUpdateDto): Promise<PersonResponseDto[]> { async reassignFaces(auth: AuthDto, personId: string, dto: AssetFaceUpdateDto): Promise<PersonResponseDto[]> {
await this.access.requirePermission(auth, Permission.PERSON_WRITE, personId); await this.access.requirePermission(auth, AccessPermission.PERSON_WRITE, personId);
const person = await this.findOrFail(personId); const person = await this.findOrFail(personId);
const result: PersonResponseDto[] = []; const result: PersonResponseDto[] = [];
const changeFeaturePhoto: string[] = []; const changeFeaturePhoto: string[] = [];
@ -109,7 +109,7 @@ export class PersonService {
const faces = await this.repository.getFacesByIds([{ personId: data.personId, assetId: data.assetId }]); const faces = await this.repository.getFacesByIds([{ personId: data.personId, assetId: data.assetId }]);
for (const face of faces) { for (const face of faces) {
await this.access.requirePermission(auth, Permission.PERSON_CREATE, face.id); await this.access.requirePermission(auth, AccessPermission.PERSON_CREATE, face.id);
if (person.faceAssetId === null) { if (person.faceAssetId === null) {
changeFeaturePhoto.push(person.id); changeFeaturePhoto.push(person.id);
} }
@ -130,9 +130,9 @@ export class PersonService {
} }
async reassignFacesById(auth: AuthDto, personId: string, dto: FaceDto): Promise<PersonResponseDto> { async reassignFacesById(auth: AuthDto, personId: string, dto: FaceDto): Promise<PersonResponseDto> {
await this.access.requirePermission(auth, Permission.PERSON_WRITE, personId); await this.access.requirePermission(auth, AccessPermission.PERSON_WRITE, personId);
await this.access.requirePermission(auth, Permission.PERSON_CREATE, dto.id); await this.access.requirePermission(auth, AccessPermission.PERSON_CREATE, dto.id);
const face = await this.repository.getFaceById(dto.id); const face = await this.repository.getFaceById(dto.id);
const person = await this.findOrFail(personId); const person = await this.findOrFail(personId);
@ -148,7 +148,7 @@ export class PersonService {
} }
async getFacesById(auth: AuthDto, dto: FaceDto): Promise<AssetFaceResponseDto[]> { async getFacesById(auth: AuthDto, dto: FaceDto): Promise<AssetFaceResponseDto[]> {
await this.access.requirePermission(auth, Permission.ASSET_READ, dto.id); await this.access.requirePermission(auth, AccessPermission.ASSET_READ, dto.id);
const faces = await this.repository.getFaces(dto.id); const faces = await this.repository.getFaces(dto.id);
return faces.map((asset) => mapFaces(asset, auth)); return faces.map((asset) => mapFaces(asset, auth));
} }
@ -175,17 +175,17 @@ export class PersonService {
} }
async getById(auth: AuthDto, id: string): Promise<PersonResponseDto> { async getById(auth: AuthDto, id: string): Promise<PersonResponseDto> {
await this.access.requirePermission(auth, Permission.PERSON_READ, id); await this.access.requirePermission(auth, AccessPermission.PERSON_READ, id);
return this.findOrFail(id).then(mapPerson); return this.findOrFail(id).then(mapPerson);
} }
async getStatistics(auth: AuthDto, id: string): Promise<PersonStatisticsResponseDto> { async getStatistics(auth: AuthDto, id: string): Promise<PersonStatisticsResponseDto> {
await this.access.requirePermission(auth, Permission.PERSON_READ, id); await this.access.requirePermission(auth, AccessPermission.PERSON_READ, id);
return this.repository.getStatistics(id); return this.repository.getStatistics(id);
} }
async getThumbnail(auth: AuthDto, id: string): Promise<ImmichFileResponse> { async getThumbnail(auth: AuthDto, id: string): Promise<ImmichFileResponse> {
await this.access.requirePermission(auth, Permission.PERSON_READ, id); await this.access.requirePermission(auth, AccessPermission.PERSON_READ, id);
const person = await this.repository.getById(id); const person = await this.repository.getById(id);
if (!person || !person.thumbnailPath) { if (!person || !person.thumbnailPath) {
throw new NotFoundException(); throw new NotFoundException();
@ -199,7 +199,7 @@ export class PersonService {
} }
async getAssets(auth: AuthDto, id: string): Promise<AssetResponseDto[]> { async getAssets(auth: AuthDto, id: string): Promise<AssetResponseDto[]> {
await this.access.requirePermission(auth, Permission.PERSON_READ, id); await this.access.requirePermission(auth, AccessPermission.PERSON_READ, id);
const assets = await this.repository.getAssets(id); const assets = await this.repository.getAssets(id);
return assets.map((asset) => mapAsset(asset)); return assets.map((asset) => mapAsset(asset));
} }
@ -214,13 +214,13 @@ export class PersonService {
} }
async update(auth: AuthDto, id: string, dto: PersonUpdateDto): Promise<PersonResponseDto> { async update(auth: AuthDto, id: string, dto: PersonUpdateDto): Promise<PersonResponseDto> {
await this.access.requirePermission(auth, Permission.PERSON_WRITE, id); await this.access.requirePermission(auth, AccessPermission.PERSON_WRITE, id);
const { name, birthDate, isHidden, featureFaceAssetId: assetId } = dto; const { name, birthDate, isHidden, featureFaceAssetId: assetId } = dto;
// TODO: set by faceId directly // TODO: set by faceId directly
let faceId: string | undefined = undefined; let faceId: string | undefined = undefined;
if (assetId) { if (assetId) {
await this.access.requirePermission(auth, Permission.ASSET_READ, assetId); await this.access.requirePermission(auth, AccessPermission.ASSET_READ, assetId);
const [face] = await this.repository.getFacesByIds([{ personId: id, assetId }]); const [face] = await this.repository.getFacesByIds([{ personId: id, assetId }]);
if (!face) { if (!face) {
throw new BadRequestException('Invalid assetId for feature face'); throw new BadRequestException('Invalid assetId for feature face');
@ -555,13 +555,13 @@ export class PersonService {
async mergePerson(auth: AuthDto, id: string, dto: MergePersonDto): Promise<BulkIdResponseDto[]> { async mergePerson(auth: AuthDto, id: string, dto: MergePersonDto): Promise<BulkIdResponseDto[]> {
const mergeIds = dto.ids; const mergeIds = dto.ids;
await this.access.requirePermission(auth, Permission.PERSON_WRITE, id); await this.access.requirePermission(auth, AccessPermission.PERSON_WRITE, id);
let primaryPerson = await this.findOrFail(id); let primaryPerson = await this.findOrFail(id);
const primaryName = primaryPerson.name || primaryPerson.id; const primaryName = primaryPerson.name || primaryPerson.id;
const results: BulkIdResponseDto[] = []; const results: BulkIdResponseDto[] = [];
const allowedIds = await this.access.checkAccess(auth, Permission.PERSON_MERGE, mergeIds); const allowedIds = await this.access.checkAccess(auth, AccessPermission.PERSON_MERGE, mergeIds);
for (const mergeId of mergeIds) { for (const mergeId of mergeIds) {
const hasAccess = allowedIds.has(mergeId); const hasAccess = allowedIds.has(mergeId);

4
server/src/services/session.service.ts
View file

@ -1,5 +1,5 @@
import { Inject, Injectable } from '@nestjs/common'; import { Inject, Injectable } from '@nestjs/common';
import { AccessCore, Permission } from 'src/cores/access.core'; import { AccessCore, AccessPermission } from 'src/cores/access.core';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto } from 'src/dtos/auth.dto';
import { SessionResponseDto, mapSession } from 'src/dtos/session.dto'; import { SessionResponseDto, mapSession } from 'src/dtos/session.dto';
import { IAccessRepository } from 'src/interfaces/access.interface'; import { IAccessRepository } from 'src/interfaces/access.interface';
@ -25,7 +25,7 @@ export class SessionService {
} }
async delete(auth: AuthDto, id: string): Promise<void> { async delete(auth: AuthDto, id: string): Promise<void> {
await this.access.requirePermission(auth, Permission.AUTH_DEVICE_DELETE, id); await this.access.requirePermission(auth, AccessPermission.AUTH_DEVICE_DELETE, id);
await this.sessionRepository.delete(id); await this.sessionRepository.delete(id);
} }

8
server/src/services/shared-link.service.ts
View file

@ -1,5 +1,5 @@
import { BadRequestException, ForbiddenException, Inject, Injectable, UnauthorizedException } from '@nestjs/common'; import { BadRequestException, ForbiddenException, Inject, Injectable, UnauthorizedException } from '@nestjs/common';
import { AccessCore, Permission } from 'src/cores/access.core'; import { AccessCore, AccessPermission } from 'src/cores/access.core';
import { AssetIdErrorReason, AssetIdsResponseDto } from 'src/dtos/asset-ids.response.dto'; import { AssetIdErrorReason, AssetIdsResponseDto } from 'src/dtos/asset-ids.response.dto';
import { AssetIdsDto } from 'src/dtos/asset.dto'; import { AssetIdsDto } from 'src/dtos/asset.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto } from 'src/dtos/auth.dto';
@ -59,7 +59,7 @@ export class SharedLinkService {
if (!dto.albumId) { if (!dto.albumId) {
throw new BadRequestException('Invalid albumId'); throw new BadRequestException('Invalid albumId');
} }
await this.access.requirePermission(auth, Permission.ALBUM_SHARE, dto.albumId); await this.access.requirePermission(auth, AccessPermission.ALBUM_SHARE, dto.albumId);
break; break;
} }
@ -68,7 +68,7 @@ export class SharedLinkService {
throw new BadRequestException('Invalid assetIds'); throw new BadRequestException('Invalid assetIds');
} }
await this.access.requirePermission(auth, Permission.ASSET_SHARE, dto.assetIds); await this.access.requirePermission(auth, AccessPermission.ASSET_SHARE, dto.assetIds);
break; break;
} }
@ -129,7 +129,7 @@ export class SharedLinkService {
const existingAssetIds = new Set(sharedLink.assets.map((asset) => asset.id)); const existingAssetIds = new Set(sharedLink.assets.map((asset) => asset.id));
const notPresentAssetIds = dto.assetIds.filter((assetId) => !existingAssetIds.has(assetId)); const notPresentAssetIds = dto.assetIds.filter((assetId) => !existingAssetIds.has(assetId));
const allowedAssetIds = await this.access.checkAccess(auth, Permission.ASSET_SHARE, notPresentAssetIds); const allowedAssetIds = await this.access.checkAccess(auth, AccessPermission.ASSET_SHARE, notPresentAssetIds);
const results: AssetIdsResponseDto[] = []; const results: AssetIdsResponseDto[] = [];
for (const assetId of dto.assetIds) { for (const assetId of dto.assetIds) {

6
server/src/services/sync.service.ts
View file

@ -2,7 +2,7 @@ import { Inject } from '@nestjs/common';
import _ from 'lodash'; import _ from 'lodash';
import { DateTime } from 'luxon'; import { DateTime } from 'luxon';
import { AUDIT_LOG_MAX_DURATION } from 'src/constants'; import { AUDIT_LOG_MAX_DURATION } from 'src/constants';
import { AccessCore, Permission } from 'src/cores/access.core'; import { AccessCore, AccessPermission } from 'src/cores/access.core';
import { AssetResponseDto, mapAsset } from 'src/dtos/asset-response.dto'; import { AssetResponseDto, mapAsset } from 'src/dtos/asset-response.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto } from 'src/dtos/auth.dto';
import { AssetDeltaSyncDto, AssetDeltaSyncResponseDto, AssetFullSyncDto } from 'src/dtos/sync.dto'; import { AssetDeltaSyncDto, AssetDeltaSyncResponseDto, AssetFullSyncDto } from 'src/dtos/sync.dto';
@ -26,7 +26,7 @@ export class SyncService {
async getAllAssetsForUserFullSync(auth: AuthDto, dto: AssetFullSyncDto): Promise<AssetResponseDto[]> { async getAllAssetsForUserFullSync(auth: AuthDto, dto: AssetFullSyncDto): Promise<AssetResponseDto[]> {
const userId = dto.userId || auth.user.id; const userId = dto.userId || auth.user.id;
await this.access.requirePermission(auth, Permission.TIMELINE_READ, userId); await this.access.requirePermission(auth, AccessPermission.TIMELINE_READ, userId);
const assets = await this.assetRepository.getAllForUserFullSync({ const assets = await this.assetRepository.getAllForUserFullSync({
ownerId: userId, ownerId: userId,
lastCreationDate: dto.lastCreationDate, lastCreationDate: dto.lastCreationDate,
@ -39,7 +39,7 @@ export class SyncService {
} }
async getChangesForDeltaSync(auth: AuthDto, dto: AssetDeltaSyncDto): Promise<AssetDeltaSyncResponseDto> { async getChangesForDeltaSync(auth: AuthDto, dto: AssetDeltaSyncDto): Promise<AssetDeltaSyncResponseDto> {
await this.access.requirePermission(auth, Permission.TIMELINE_READ, dto.userIds); await this.access.requirePermission(auth, AccessPermission.TIMELINE_READ, dto.userIds);
const partner = await this.partnerRepository.getAll(auth.user.id); const partner = await this.partnerRepository.getAll(auth.user.id);
const userIds = [auth.user.id, ...partner.filter((p) => p.sharedWithId == auth.user.id).map((p) => p.sharedById)]; const userIds = [auth.user.id, ...partner.filter((p) => p.sharedWithId == auth.user.id).map((p) => p.sharedById)];
userIds.sort(); userIds.sort();

8
server/src/services/timeline.service.ts
View file

@ -1,5 +1,5 @@
import { BadRequestException, Inject } from '@nestjs/common'; import { BadRequestException, Inject } from '@nestjs/common';
import { AccessCore, Permission } from 'src/cores/access.core'; import { AccessCore, AccessPermission } from 'src/cores/access.core';
import { AssetResponseDto, SanitizedAssetResponseDto, mapAsset } from 'src/dtos/asset-response.dto'; import { AssetResponseDto, SanitizedAssetResponseDto, mapAsset } from 'src/dtos/asset-response.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto } from 'src/dtos/auth.dto';
import { TimeBucketAssetDto, TimeBucketDto, TimeBucketResponseDto } from 'src/dtos/time-bucket.dto'; import { TimeBucketAssetDto, TimeBucketDto, TimeBucketResponseDto } from 'src/dtos/time-bucket.dto';
@ -59,15 +59,15 @@ export class TimelineService {
private async timeBucketChecks(auth: AuthDto, dto: TimeBucketDto) { private async timeBucketChecks(auth: AuthDto, dto: TimeBucketDto) {
if (dto.albumId) { if (dto.albumId) {
await this.accessCore.requirePermission(auth, Permission.ALBUM_READ, [dto.albumId]); await this.accessCore.requirePermission(auth, AccessPermission.ALBUM_READ, [dto.albumId]);
} else { } else {
dto.userId = dto.userId || auth.user.id; dto.userId = dto.userId || auth.user.id;
} }
if (dto.userId) { if (dto.userId) {
await this.accessCore.requirePermission(auth, Permission.TIMELINE_READ, [dto.userId]); await this.accessCore.requirePermission(auth, AccessPermission.TIMELINE_READ, [dto.userId]);
if (dto.isArchived !== false) { if (dto.isArchived !== false) {
await this.accessCore.requirePermission(auth, Permission.ARCHIVE_READ, [dto.userId]); await this.accessCore.requirePermission(auth, AccessPermission.ARCHIVE_READ, [dto.userId]);
} }
} }

4
server/src/services/trash.service.ts
View file

@ -1,6 +1,6 @@
import { Inject } from '@nestjs/common'; import { Inject } from '@nestjs/common';
import { DateTime } from 'luxon'; import { DateTime } from 'luxon';
import { AccessCore, Permission } from 'src/cores/access.core'; import { AccessCore, AccessPermission } from 'src/cores/access.core';
import { BulkIdsDto } from 'src/dtos/asset-ids.response.dto'; import { BulkIdsDto } from 'src/dtos/asset-ids.response.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto } from 'src/dtos/auth.dto';
import { IAccessRepository } from 'src/interfaces/access.interface'; import { IAccessRepository } from 'src/interfaces/access.interface';
@ -23,7 +23,7 @@ export class TrashService {
async restoreAssets(auth: AuthDto, dto: BulkIdsDto): Promise<void> { async restoreAssets(auth: AuthDto, dto: BulkIdsDto): Promise<void> {
const { ids } = dto; const { ids } = dto;
await this.access.requirePermission(auth, Permission.ASSET_RESTORE, ids); await this.access.requirePermission(auth, AccessPermission.ASSET_RESTORE, ids);
await this.restoreAndSend(auth, ids); await this.restoreAndSend(auth, ids);
} }

10
server/src/services/user.service.ts
View file

@ -3,7 +3,7 @@ import { DateTime } from 'luxon';
import { StorageCore, StorageFolder } from 'src/cores/storage.core'; import { StorageCore, StorageFolder } from 'src/cores/storage.core';
import { SystemConfigCore } from 'src/cores/system-config.core'; import { SystemConfigCore } from 'src/cores/system-config.core';
import { UserCore } from 'src/cores/user.core'; import { UserCore } from 'src/cores/user.core';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto, presetToPermissions } from 'src/dtos/auth.dto';
import { CreateProfileImageResponseDto, mapCreateProfileImageResponse } from 'src/dtos/user-profile.dto'; import { CreateProfileImageResponseDto, mapCreateProfileImageResponse } from 'src/dtos/user-profile.dto';
import { CreateUserDto, DeleteUserDto, UpdateUserDto, UserResponseDto, mapUser } from 'src/dtos/user.dto'; import { CreateUserDto, DeleteUserDto, UpdateUserDto, UserResponseDto, mapUser } from 'src/dtos/user.dto';
import { UserEntity, UserStatus } from 'src/entities/user.entity'; import { UserEntity, UserStatus } from 'src/entities/user.entity';
@ -60,8 +60,9 @@ export class UserService {
return this.findOrFail(auth.user.id, {}).then(mapUser); return this.findOrFail(auth.user.id, {}).then(mapUser);
} }
create(createUserDto: CreateUserDto): Promise<UserResponseDto> { create(dto: CreateUserDto): Promise<UserResponseDto> {
return this.userCore.createUser(createUserDto).then(mapUser); const permissions = presetToPermissions(dto);
return this.userCore.createUser({ ...dto, permissions }).then(mapUser);
} }
async update(auth: AuthDto, dto: UpdateUserDto): Promise<UserResponseDto> { async update(auth: AuthDto, dto: UpdateUserDto): Promise<UserResponseDto> {
@ -71,7 +72,8 @@ export class UserService {
await this.userRepository.syncUsage(dto.id); await this.userRepository.syncUsage(dto.id);
} }
return this.userCore.updateUser(auth.user, dto.id, dto).then(mapUser); const permissions = presetToPermissions(dto);
return this.userCore.updateUser(auth.user, dto.id, { ...dto, permissions }).then(mapUser);
} }
async delete(auth: AuthDto, id: string, dto: DeleteUserDto): Promise<UserResponseDto> { async delete(auth: AuthDto, id: string, dto: DeleteUserDto): Promise<UserResponseDto> {

6
server/src/utils/asset.util.ts
View file

@ -1,4 +1,4 @@
import { AccessCore, Permission } from 'src/cores/access.core'; import { AccessCore, AccessPermission } from 'src/cores/access.core';
import { BulkIdErrorReason, BulkIdResponseDto } from 'src/dtos/asset-ids.response.dto'; import { BulkIdErrorReason, BulkIdResponseDto } from 'src/dtos/asset-ids.response.dto';
import { AuthDto } from 'src/dtos/auth.dto'; import { AuthDto } from 'src/dtos/auth.dto';
import { IAccessRepository } from 'src/interfaces/access.interface'; import { IAccessRepository } from 'src/interfaces/access.interface';
@ -20,7 +20,7 @@ export const addAssets = async (
const existingAssetIds = await repository.getAssetIds(dto.id, dto.assetIds); const existingAssetIds = await repository.getAssetIds(dto.id, dto.assetIds);
const notPresentAssetIds = dto.assetIds.filter((id) => !existingAssetIds.has(id)); const notPresentAssetIds = dto.assetIds.filter((id) => !existingAssetIds.has(id));
const allowedAssetIds = await access.checkAccess(auth, Permission.ASSET_SHARE, notPresentAssetIds); const allowedAssetIds = await access.checkAccess(auth, AccessPermission.ASSET_SHARE, notPresentAssetIds);
const results: BulkIdResponseDto[] = []; const results: BulkIdResponseDto[] = [];
for (const assetId of dto.assetIds) { for (const assetId of dto.assetIds) {
@ -50,7 +50,7 @@ export const addAssets = async (
export const removeAssets = async ( export const removeAssets = async (
auth: AuthDto, auth: AuthDto,
repositories: { accessRepository: IAccessRepository; repository: IBulkAsset }, repositories: { accessRepository: IAccessRepository; repository: IBulkAsset },
dto: { id: string; assetIds: string[]; permissions: Permission[] }, dto: { id: string; assetIds: string[]; permissions: AccessPermission[] },
) => { ) => {
const { accessRepository, repository } = repositories; const { accessRepository, repository } = repositories;
const access = AccessCore.create(accessRepository); const access = AccessCore.create(accessRepository);

4
server/src/utils/misc.ts
View file

@ -103,10 +103,6 @@ const patchOpenAPI = (document: OpenAPIObject) => {
continue; continue;
} }
if ((operation.security || []).some((item) => !!item[Metadata.PUBLIC_SECURITY])) {
delete operation.security;
}
if (operation.summary === '') { if (operation.summary === '') {
delete operation.summary; delete operation.summary;
} }